Secure S0 = the old/original method for Z-Wave security. If it's an older Z-Wave device that doesn't support S2 security and you want to have your Z-Wave messages encrypted, then S0 is the correct choice.
There are 3 Secure S2 classes. S2-Unauthenticated is appropriate when the controller has no keypad/keyboard or QR scanner. It does not require the user to enter a DSK. The S2-Authenticated and S2-AccessControl both require the user to enter a DSK (via a keypad/keyboard or QR scanner). This validates the device that's being added is actually the device you intended to add and is not a rogue device that's trying to add itself to your network at the same time you're trying to add the intended device. The difference between S2-Authenticated and S2-AccessControl is to restrict a controller from being able to talk to a Door Lock (Door locks use the S2-AccessControl key vs. "normal" S2-Authenticated devices which use the S2-Authenticated key).
Pressing the "Secure S2" is a good choice. For newer devices that require security, it may be required, with S0 security being weaker and chattier. For a Z-Wave device where security is not required, I typically force an Unsecure inclusion because it's simpler and requires less processing.
What does it mean in practice when the device is missing the S0 security? And can I make the only using S2 the default?
It means you have a newer Z-Wave device. Be happy and use S2 security. If you request S2 inclusion and a device does not support S2 security, you should see an inclusion error. Most likely, you'll need to exclude the device and re-include it using either S0-Security or Unsecure. A different issue is if you include a device Unsecurely and the device requires either S0 or S2 security - the device will only provide access to a small set of Z-Wave command classes (i.e., the device won't be usable). When this happens, you'll need to exclude the device and re-include it with either S0 or S2 security.
Also. What does it mean that I have ticked in both S2 unauthenticated and S2 authenticated
It means the device can be included using either key. If you don't enter a DSK, it will use the S2-Unauthenticated key and if you enter a DSK, it will use the S2-Authenticated key. I find Z-Way's inclusion via the expert UI to be fickle and have had good success using the smarthome UI (select Devices from the top menubar, select Z-Wave device and then select Add New (the "+" sign). If you're interested in my opinion, I find the Z-Way app to be unintuitive as it only shows icons and does not show labels for what the icons mean. That's why I prefer using the smarthome web UI for inclusion.