Yes stored routine security syntax is bizarre.
"CREATE PROCEDURE and CREATE FUNCTION require the CREATE ROUTINE privilege. If the DEFINER clause is present, the privileges required depend on the user value, as discussed in Section 24.6, “Stored Object Access Control”. If binary logging is enabled, CREATE FUNCTION might require the SUPER privilege, as discussed in Section 24.7, “Stored Program Binary Logging”.
"By default, MySQL automatically grants the ALTER ROUTINE and EXECUTE privileges to the routine creator. This behavior can be changed by disabling the automatic_sp_privileges system variable. See Section 24.2.2, “Stored Routines and MySQL Privileges”.
"The DEFINER and SQL SECURITY clauses specify the security context to be used when checking access privileges at routine execution time, as described later in this section."
To have the sproc run with invoker's instead of definer's privs, use SQL SECURITY INVOKER.