When removing a set of nodes with dependencies between them, the order of removal isn't as it should be. e.g. Trying to remove the "A connected_to B" graph, will result in trying to remove B first, and only then A. This should obviously be reversed.
In order to recreate this issue, it is sufficient to run the deployment_update system test. Once the deployment is updated once, the security groups remains intact (although it should be removed. the reason it isn't is because openstack prevents the remove of the security group, since some node still uses this issue). Thus an assert should be added to the test, to directly check openstack for the existence of the security group.