The only way you'd have a secure Windows 2000 system is to install it on a machine not connected to the internet and bury it a mile down in an old mine full of radiation, zombieitis and super syphilis so nobody would venture there.
Windows 2000 has plenty of critical vulnerabilities that were never patched, and if you could override the boot environment, you could just walk right in the front door with offline NT password changer.
Has nothing to do with 2K itself.
Of course you can reset the admin password if you have physical access and the drive is not encrypted (and the machine is not AD-bound).
Put your 98SE permanently online with public IP address on the interface and see what happens...
Is one potential source of problems on NT/2K/XP vs. 9x the fact that the former has filesystem permissions, preventing software from writing settings into its own install directory, the Windows directory, the root of the hard drive, etc.? I seem to recall this being an issue with older software running on XP if you ran under an account without administrator permissions, although of course most people just ran under accounts with administrator permissions all the time, because until Vista came along, it wasn't really convenient to do otherwise (yes, everyone hated UAC, but it was nicer than having to explicitly "Run as Administrator" all the time).
Except that in 2k the permissions are set to 'yes' by default. Thats what I love so much about 2k. You CAN configure it to be the most secure OS on the planet, but its default settings make it more like the fun uncle of operating systems.
Look, classic Windows brought bad programming practice that created bad user practices. Under no consideration should you have absolute access in a multiuser system.
Classic Windows way was a dying dinosaur even back then.
The bigger problem were people saying, oh, user segmentation is crap, FS permissions are crap, let's just run everything as Admin.
Microsoft literally saved the day by imposing UAC.
In like mid 2010s I stumbled upon a open source project for *nix that had "run install script with sudo" as installation procedure, although under no circumstances should an user application ask for root just to copy and configure itself. Users were perfectly fine with it, as it was a desktop tool used in desktop distros. Until the author made a single character typo in the script - instead of "rm -rf /tmp/$mydir" he did "rm -rf / tmp/$mydir" effectively deleting the root filesystem of his users.
So yeah, you cannot go convenience over security even in the most dumbed down "user friendly" version of Linux - same applies for Windows NT.
Personally I've always
hated the mess classic Windows makes out of the filesystem, as opposed to perfect order on something like BSD. NT has fixed that a bit.
MS gives you a centralized configuration database which is not friendly to easy offline inspection or repair, the Registry, it's a BDB and you need tools to manage it. On the other hand, they do not impose any rules on where and how the user application holds its configuration. So it might be in non-human-readable Registry, but it might be anywhere else too, including an INI file in the C:\ root if they wish. Now that's pure bullshit.
Microsoft made a grave mistake not introducing an user directory in Windows 95. Especially because it was able to work in multiuser networks from the get go.