When logging into OWA 2010, the security code field can be blank or have an incorrect security code but login is still successful

In the VIP Integration settings the path to the owa dll file is incorrect.  It should be a relative path, such as /owa/auth/owaauth.dll.

In some later versions of OWA 2010, it may be using auth.owa instead of the owaauth.dll file.  The auth.owa is used in OWA 2013.  To see if this is the case, look in the IIS logs (C:\IIS\Logs\WSSVC2 for example).  It will show a POST to /owa/auth.owa.  If this is the case, configure the VIP Integration settings to reflect the OWA 2013 version as per the documentation.  This would mean setting the version to 2013 and using /owa/auth.owa in the path.