I’m not expert on zwave, and am often wrong, but I don’t think this is possible even without security. Every device I’ve ever seen requires a physical action on the device to add it to a network. Without the physical action there is no way to cause the device to try to join a new network.
Theoretically someone with a zwave sniffer could read the messages being exchanges across the zwave mesh without security. I suppose theoretically someone should perform a playback attack, spoof attack, or perhaps a man-in-the-middle attack. I’ve seen proof of concept of some of these for zigbee but not for zwave.
OH 2.3 does not support ANY security. Support for that wasn’t added until OH 2.4 M4. If you created/discovered zwave Things running in OH 2.3, you will need to delete those Things and rediscover them after upgrading to any version of OH after 2.4 M4. See ZWave binding updates.
I do not believe S2 is supported yet though I think someone is working on it.
I believe using Security is just encryption. I don’t think there is any authentication outside of proving you have physical access to the device (i.e. performing the physical action on the device to include it into the network) at the time of inclusion.