Hi Frans,
From your question, I cannot tell what exactly is amiss in your security group settings. However, instead of using security groups, which will no longer be available in the 2.5 release, you can use an XPath constraint in the instance access settings of your Project object:
[Module.Project_Organization/Module.Organization/Module.Person_Organization = '[%CurrentUser%]']
This constraint ensures that Persons (users) can only access projects that are related to their organization. Of course, you have to replace the names in the constraint by the actual names in your model.