I’m assuming this can only be run offline? The number of security vulnerabilities published and not are probably too numerous to risk getting this on the www
I would think running it behind a hardware firewall/router/NAT and using a modern browser (someone further up mentioned recent versions of chrome) should take care of most vulnerabilities unless opening something malicious (document/app).
The practical difference is that keeping on top of the Win10 vulns would take considerable effort, whereas exploiting (a stock install of) Win2K is “download Metasploit and run this one line to get a remote SYSTEM shell”.
The argument is not that 10 is better or even more secure—surely all the added code has to count for something, although the (glaring absence of) security engineering in 2K gives me a sense of vague horror—it’s that running the latest 10 probably makes you substantially faster than the slowest camper, even if it doesn’t make you faster than the proverbial bear.