27.116.1.1 is not part of the 27.116.56.0/22 (24.116.56-59) range.

You likely have another line somewhere else catching the visitor.

it doesn;t matter whether I put that before or after the deny, it still gets denied

That's how the "allow/deny" formula works. It doesn't matter what order you say things in.

Order allow,deny
= blacklisting
= first read all "allow" lines and then read all "deny" lines.
= usually includes the line "allow from all" and then you list the ones you want to deny

Order deny,allow
= whitelisting
= first read all "deny" lines and then read all "allow" lines.
= usually includes the line "deny from all" and then you list the ones you want to allow

In this formula you cannot make exceptions like "allow from all of aa except the server farm at aa.bb" or "deny from everyone at cc except my friend at cc.dd.ee". For that you need to use some other approach, like Rewrite Conditions or a series of environmental variables.

Or you can do it by brute force: list all the CIDRs within range aaa that are below aaa.bbb, and then start up again with all the ones that are above aaa.bbb. This looks very pretty but does make extra work, both for you (once) and the server (every time).

27.116.1.1 was just an example, pretend it's inluded in that CIDR :)

So, how can I allow 1 ip address if a range of denied CIDR are above it?

order allow,deny
allow from 27.116.x.x
deny from 27.116.56.0/22
deny from 58.147.128.0/19
allow from all

you revise your method as lucy explained.

RewriteEngine on (note if NOT on previously)
RewriteCond %{REMOTE_ADDR} ^27\.116\.5[6-9]\.
RewriteCond %{REMOTE_ADDR} !^27\.116\.x\.x$
RewriteRule .* - [F]

or you may break down the 56-59 into the ocets your desire, which would require more expression lines than these three.

Can I just create a separate RewriteCond at the end?
...because my htaccess is alreday pretty extensive.
In fact I have this htaccess on the main folder and the allow,deny on a subfolder called cart.
Also, how do I transform an IP CIDR into the htaccess format for RewriteCond because I have about 200 lines of IP addresses + CIDR masks at the moment.

<Files .htaccess>
deny from all
</Files>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^(www\.aaa\.co\.uk)?$
RewriteCond $1 !^cart/updateorders\.php$
RewriteCond $1 !^aaaCheck\.php$
RewriteRule ^(.*)$ http://www.aaa.co.uk/$1 [R=301,L] 
#block proxy servers
RewriteCond %{HTTP:VIA}   !^$ [OR]
RewriteCond %{HTTP:FORWARDED}  !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule ^(.*)$ - [F]
RewriteEngine On 
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR] 
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR] 
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR] 
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR] 
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR] 
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR] 
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR] 
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR] 
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR] 
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR] 
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR] 
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR] 
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR] 
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR] 
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR] 
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR] 
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR] 
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR] 
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR] 
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR] 
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR] 
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR] 
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR] 
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Zeus 
RewriteRule ^.* - [F,L]
ErrorDocument 403 "<html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access.<br />If you believe this to be in error, please contact <a href='mailto:sales@aaa.co.uk'>sales@aaa.co.uk</a></body></html>

Current .htaccess in sb folder

# Copyright 2012 Country IP Blocks LLC
#all rights reserved.
#This list may not be redistributed in any form.
#this list includes network data on the following countries:
#AFGHANISTAN, BANGLADESH, BELARUS, CAMEROON, CENTRAL AFRICAN REPUBLIC, COTE D'IVOIRE, EQUATORIAL GUINEA, GHANA
<Limit GET POST>
order allow,deny
deny from 27.116.56.0/22
deny from 58.147.128.0/19
deny from 61.5.192.0/20
deny from 103.5.172.0/22
deny from 103.5.196.0/23
deny from 103.7.104.0/22
deny from 103.23.36.0/22
deny from 103.23.247.0/24
deny from 103.28.132.0/22
deny from 103.247.198.0/24
deny from 111.125.152.0/21
deny from 111.223.244.0/22
deny from 117.55.192.0/20
deny from 117.104.224.0/21
deny from 119.59.80.0/21
deny from 121.100.48.0/21
deny from 121.127.32.0/19
deny from 124.199.112.0/20
deny from 125.213.192.0/19
deny from 175.106.32.0/19
deny from 180.94.64.0/19
etc

Can I just create a separate RewriteCond at the end?

Sorta.
The order of the regex lines in your file is crucial.
Redirects should be placed later in the file so as not to expose paths to rewrites.

Denials of access should be placed near the top of the file so that remaining rules are not required to process the same thing uselessly.

...because my htaccess is alreday pretty extensive.

Large by whose standard?
My own file is just under 2000 lines, which is quite large by most standards.

In fact I have this htaccess on the main folder and the allow,deny on a subfolder called cart.

Location depends upon whether your attempting to deny the entire site or just the cart.

Also, how do I transform an IP CIDR into the htaccess format for RewriteCond because I have about 200 lines of IP addresses + CIDR masks at the moment.

cidr+convert [google.com]

You'll likely not need to convert them all, rather, only the ones that require exceptions of access.

Does it matter that I have this twice in the file:
RewriteEngine On

So it should go:
ban file listing
ban IP addresses
allow IP addresses
ban proxies
ban bots

Does it matter that I have this twice in the file:
RewriteEngine On

once only per htaccess

while your at it. You make take these entire lines

RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR] 

and change them to a single line

RewriteCond %{HTTP_USER_AGENT} ^Web [OR]

The previous "specific order" reference was to your mod_rewrite section

Also, how do I transform an IP CIDR into the htaccess format for RewriteCond because I have about 200 lines of IP addresses + CIDR masks at the moment.

Wait for your host to move up to Apache 2.4. Rumor has it the new improved mod_rewrite recognizes CIDR masks so you won't need to change anything.