From what I understand, the Chrome team does not consider a password manager as a security issue, but a user experience feature. If someone managed to access the machine, physically or taken over remotely, you have bigger problems (I think that was the reasoning).
Even banks have (slowly) stopped avoiding password managers.
Web applications cannot disable the password manager.
As a system administrator, you can disable the password manager for all of the websites, using an enterprise policy -
Note that existing saved passwords will still be automatically filled, only new ones will not be saved.
Disabling the password manager is a big hammer and a very bad user experience, so I advise against this as well as against trying to avoid saving the password.