Aeotec Smart Switch 6 (AEON Labs ZW096) - Unable to pair in S2 secure mode

Regardless of following manufacturer’s instructions to pair in secure mode i.e. (2 presses of front button within one second) the Smart Switch 6 refuses to pair securely with HASS > Z-Wave JS

Background:
Have looked at Home Assistant over the years but the tipping point was the liquidation of Boundary Alarm (UK) around Dec 2022 - Mar 2023. Left with 10 sensors winking blue lights communicating with a hub that was now just a piece of wall art…

So, yet another Pi4 Model B 4GB spun up with Home Assistant Pi OS and a Z-Stick 7.
HASS updated the Z-Stick firmware no problem to Firmware 7.17.2

All went pretty well, with some teething troubles, with the 10 Boundary sensors first excluded via factory reset of the Boundary Hub > Z-Wave JS integrated > paired the sensors using USB QR-Code reader and eventually had them all reporting:
Highest security: S2 Authenticated
Z-Wave Plus: Version 2

Lots of playing around, and finding my way around the various aspects of automations, dashboards, alerts etc. etc.

Ordered an Aeotec Smart Switch 6 from AMZN, arrived yesterday - it clearly states “Z Wave Plus” and supports S2 security.
Using the “2 button press” to enable security:

It simply refuses to report a secure pairing. Am I missing something? I have removed, re-included many times, even performed a factory reset - still just:
Status: Alive
Ready: Yes
Highest security: None
Z-Wave Plus: Version 1

The old Boundary sensors are all Z-Wave 700 (Plus) “Highest Security: S2 Authenticated” and Z-Wave JS has fully populated KEYS in it’s config.

I am pairing the Smart Switch 6 approx 150mm away from the Z-Stick 7 (can’t get it any closer really).

Is it because it is classed:

basic device class:    Routing Slave
generic device class:  Binary Switch
specific device class: Binary Power Switch

Is it being seen by HASS / Z-Wave JS as a “non security” device and therefore defaulting to non-secured? If so, can this behaviour be forced to secure within HASS / Z-Wave JS?

Any thoughts or suggestions would be appreciated!

Smart Switch 6 doesn’t support S2. Where do you see that it does?

@freshcoast thank you for your response.

You are right, and I have demonstrated my, so far, limited knowledge of the whole Z-Wave space!

I had naively inferred from various sources that Z-Wave Plus had to include encrypted communication by default. The lack of a QR-Code / PIN on the device should have alerted me to the lack of S2. And even in the name “Smart Switch 6” I guess refers to 600 as opposed to “7” which would indicate Z-Wave 700…
[Edit] It’s actually Aeotec Gen 5

So, does: “Highest security: None, Z-Wave Plus: Version 1” mean that the device is not using any form of encryption for communication?

Am also misunderstanding this, from Aeotec’s Smart Switch 6 user guide?

I am using the " Pair in Advanced Security Mode" method.

I consider that any attached smart switching device that might control a heating or other potential fire-risk (non-lighting) source, or even a nuisance source such as a music system etc. should have secure encrypted communications. There’s one thing a hacker turning your house into a Christmas tree while you’re away on holiday, but powering up any electric heaters or your music system at 03:00 could be a different story!

Correct, Z-Wave Plus does not automatically infer S2 support. There was a period of time where Plus devices were not required to support it, but I believe they are now. Most of my devices are Plus but no S2.

If you want to use S0 security, you need to manually select that inclusion strategy in the software when including the device. Z-Wave JS will not include non-security devices with S0 unless explicitly directed to (docs). In most cases, S0 is bad for the network (see point #6 in docs).

Someone controlling my un-encrypted Z-Wave devices is probably the lowest thread model I could think of for my house. Of course, you’ll have to make that judgement yourself.

Thank you.

Much to consider! But your insight has been most helpful.