When merging port ranges, the code never assumed the
conjunction ID might not be present in the set due to
already being removed.
In this case there were two security groups, both using
the same remote security group, but the first security
group does not define a port range and the second one does.
Or more generally, the first SG port range is a subset
of the second, as no port-range means the full range.