your report is missing the information on **how** did you disabled serve-cgi-bin.conf?
Ah, sorry.
I manually deleted the link from conf-available/ to conf-enabled/.
I later had some doubts whether I had asked for problems by doing
so, I checked the a2disconf script, and if I'm not mistaken it
basically does the same thing. In any case I didn't find evidence
that the script "registered" this action somewhere, which would be
the precondition for not "force-enabling" it later...