Is it possible that browsercache can 'overrule' the actual security settings? I first deployed in development mode (I can delete object X in this mode) en then deployed in production mode. The 'delete' button will remain visible till I emptied my browsercache though...
That the button remained visible is indeed caused by your browser caching the form. The actual security checks are performed on the server however, so you still wouldn't be able to actually delete those objects.