If I remember correctly, part of the security of the system module is "hard coded" in Mendix and cannot be expressed in the model using the security DSL. This is because the system module has some special properties (necessary for running a Mendix application) that "normal" user modules never have.
Check this screenshot.
In project security, for “Administrator” userrole, we provide system.administrator role.
Then in the Edit popup, we have the check box checked.
For “User” userrole, this checkbox will be checked off.