There are several ways to exploit weak ACLs on a service, depending on where the ACL is set:

• File ACLs on the service binary file:
  • Detected by SharpUp with GetModifiableServiceBinaries
• Service ACLs on the service itself:
  • Detected by SharpUp with GetModifiableServices
• Registry ACLs on the service's registry key in HKLM\SYSTEM\CurrentControlSet\Services
  • NOT detected by SharpUp (let me know if I'm missing something here)

This technique is described in ATT&CK with ID T1058 and in many other documents and tutorials, e.g. https://labs.mwrinfosecurity.com/assets/1089/original/Windows_Services_-_All_roads_lead_to_SYSTEM-1.1-oct15.pdf in section "2.2 Insecure Registry Permissions".
I confirm that the ACLs on the service itself can be different than the ones set on the registry key of the service.
For example, under HKLM\SYSTEM\CurrentControlSet\Services\<service_name>\ each service has a value entry named ImagePath that can be changed to start a different service binary file, if the attacker has the proper rights on HKLM\SYSTEM\CurrentControlSet\Services\<service_name>\ and that the service runs as a more privileged user (e.g. SYSTEM).