Just an additional info. You can force a S2 device where a PIN is needed to include it as unsecured by using a wrong PIN. e.g. 00000. This could be necessary if you want to use associations.
Btw, there is already a request to Athom (Athom partially reads posts in the forum, but in principle does not respond to them) that it should be made possible for the user to choose during inclusion if a security standard should be used or not.
If you are also interested in this, then you can like the post.