[yrro]

    $ sudo -l
    [...]
    
    User yrro may run the following commands on fw33748-02:
        (ALL : ALL) ALL
        (ALL : ALL) !/usr/bin/sudo, !/usr/bin/su, !/bin/su

So

    $ sudo su -
    Sorry, user yrro is not allowed to execute '/usr/bin/su -' as root on fw33748-02.example.qq.

[tremon]

I'm not sure what point you're trying to make, but:

  $ sudo /bin/sh -c su -

It's never useful to deny certain commands to a user if that user is allowed to open a shell. Any shell. So you probably want to change that first line to

  (ALL : ALL) NOEXEC: ALL

and provide a whitelist for all tools that do spawn children as part of their normal operation (such as apt, dpkg, and probably half of all unix tooling).

[yrro]

It's how I've trained myself to avoid 'sudo su -' - by removing my user's ability to use sudo to run su ;)