Shouldn't services_auth_invoke return NULL id no access function found?

Hmm, I think that this is a heritage from the way key auth worked before the pluggable auth patch (I think, have not double-checked). When I wrote the patch my focus was to cause as little disruption as possible, therefore things like that stuck. In your example the response is probably returned because if something really goes wrong in a auth module it will return a description of what the failure was, so it would become: "#data => 'Who are you really?' #error => 1". Not double-checking here, please correct me if I'm wrong.

I would say that using return values for error handling is pretty bad overall. The servers are actually free to do whatever they want when services_error is called. For instance in rest_server I've chosen to throw an exception instead of relying on return values. As the server is the one that calls services_method_call it also has the opportunity to catch any exceptions. I'm actually thinking about making Exceptions the default way to tell services that something has gone terribly wrong, but that's definitely a 3.x thing.

I'm marking this as a by design, but I agree with you that the design may not be all that good. Feel free to change it back if you disagree.