I would not consider this a security issue.
Disabled buttons are usually used in an application in order to make it apparent that a feature that a relevant feature is currently not available. There is also the option of not making a button present in the HTML at all by seting its "alwaysCreate" property to false, and explicltly creating it when relevant.
If a button should never be available to for a group of users, its presence can also be controlled using the permission mechanism (adding a property "requiredPermission").
As for security:
In order to make sure that the an operation is permitted in a particular context, server side validation is required in addition to any validations or UI adjustments made on the client side. The "Secure Service" template can be used as a starting point for that.
However, if you only care, about the availability of a function (and don't need to validate the actual parameters), using requiredPermission is sufficient. The platform takes care of both eliminating the relevant display items for non-permitted users , and of validating (on the server side) that the user has the appropriate permissions.
I hope this helps ...
For best results, use the Firefox browser..