This "problem" was introduced as part of changes made to the RBAC model in Exchange 2010 SP1. The actual problem is fairly well known, even though Microsoft doesn't like to talk about it. It is the result of a philsophical shift in the approach to security with regards to "split permissions" between Active Directory and Exchange administrators. This problem centers around mail-enabled security groups almost exclusively. There are various workarounds that can be used to adequately manage pure distribution groups, but once you make that group a security principal, RBAC takes over and whacks you on the head.
Microsoft fixed this partially in Update Rollup 3 when they added the -BypassSecurityGroupManagerCheck flag back to the Powershell command that gets executed when you attempt to update security group memberships from within the Exchange 2010 admin console. The problem is that they DID NOT add this flag to the behind-the-scenes scripting that occurs when you do the exact same thing from OWA (or Outlook, which is probably impossible with the new model). The fix for this is pretty darn simple. Just add the -BypassSecurityGroupManagerCheck flag to the scripting that occurs behind the scenes when a properly configured RBAC user is trying to manage a mail-enabled security group. You did it for the EMC, now do it for the ECP in OWA. Please. No waiting for Exchange 2020 or service pack 300. You could fix this in an update rollup tomorrow.