I do not understand why he says you can not block a single IP with security groups. It seems quite possible.
you can only do it with Network ACLs
Answering my own question: It finally hit me that allow is not the same as Block
Security groups do not have "Block" rules. So blocking a single IP or a range of IPs while allowing everything else would require creating an allow for all the IP spaces except for the IPs you want to block.