This might be a bit of a mindfsck because you are using a permit which makes the deny valid, but this is the way route-maps work.
You feed ip addresses to the route-map. If the ip address matches in the route-map your action will appy. Now, you use a prefix list as well. The prefix-list will filter the prefixes being fed to the route-map.
So if 0.0.0.0/0 is coming into the route-map, it will try to match it to the prefix-list, it matches the prefix list, so it is then being matched with your route-map entry, which say it should deny it.
If for instance 192.0.2.0/24 is coming into the route-map, it will try to match it with your prefix-list, it fails, which will make it accepted (or actually not be evaluated) by your route-map.