Snarg

The most likely to work setting is 444 (read only).  But 644, 640, or 400 might work.  This depends on how your host is set up. 
This is almost all outside osCommerce.  Ask your host how to enable SSL.  Again, that depends on how your host is set up.  This may be as simple as flipping a switch or it may be complicated. 
With SSL enabled, CE Phoenix will automatically configure your store if you run the install procedure from the https URL.  I.e. if your store is https://www.example.com/ then going to https://www.example.com/install/install.php should handle the configuration for you.  Note that this will clear out any changes you already made to the database.  It's also possible to enable SSL by manually editing the two configure.php files to replace http: with https: if you don't want to reset your store.  In either case, you need to have the SSL working on the domain before you try to configure CE Phoenix. 
Those notices will be gone in the next version.  If they are really bothering you, in the configure.php files change the error_reporting(E_ALL) to
error_reporting(E_ALL & ~E_NOTICE); Or simply set display_errors to false.  Your host should offer a way for you to do this.  It's PHP configuration.  Again, the exact method is going to be different from host to host. 

You are somewhere between Gold and Frozen.  

Action Recorder
Could not create_account be protected with an action recorder module ?
Recaptcha
Protect create_account with a Recapcha as well?
IP Address
Store IP address as part of account creation.  Isn't everyone doing that anyway per GDPR ? 😂
Back End
What about a backend page that allows shopowner to drill down customers [and delete them], eg show me;
customers who registered between X date and Y date and/or have not logged in since and/or have made no orders Self Approve
How about getting customer to approve themselves (rather than be admin approved).  
IE, they create account & immediately logged out.  They have to check their email to access a page which "open sesame" their account and access to checkout procedure.  Obviously not right for all shops, but some shops that might be suitable for.
That's 5 ideas that spring to mind immediately...
 

See the Honey Pot addon. There are only a few changes needed. It stops 100% of spam by bots on the contact us page and is completely transparent to the customer.

There are several threads regarding this on this subject. There's no simple way to remove them in a stock shop. You can do one of the following:
If there are not too many, you can manually delete them in admin->Customers. If there are too many to delete manually, you can delete them by editing the database. How easy this is depends on when the accounts were created and if there is something in common with them, like the same in each. To prevent it from happening again,
If you can determine the country that the accounts are being added from and if you won't sell to that country, then remove the country from the countries list in admin or install an addon or package that blocks countries if your host doesn't provide that option. If you can determine the IP of those that created the account, you could block those IP's. There are addons meant to store the IP if you don't have one installed.

@@Snarg
 

<?php echo TEXT_CHOOSE_SHIPPING_DATE . '<br /><br />' . tep_draw_input_field('delivery_date', '', 'id="delivery_date"'); ?> to: 

<?php echo TEXT_CHOOSE_SHIPPING_DATE . '<br /><br />' . tep_draw_input_field('delivery_date', '', 'required aria-required="true" id="delivery_date"'); ?> ps, I award you todays prize for replying to the oldest thread ;)

Yes.

@@Snarg Sorry, missed your questions.
 
1. Yes, but that would take some custom code.
 
2. Yes, and that should be an option. For now it would also require custom code. I'll add this when I get the time.
 
Regards
Jim

No, you need to delete a lot more. Take your first try, then get rid of all this:
 

<h1><?php echo HEADING_TITLE; ?></h1> <div class="contentContainer"> <div class="contentText"> <?php echo tep_customer_greeting(); ?> </div> <?php if (tep_not_null(TEXT_MAIN)) { ?> <div class="contentText"> <?php echo TEXT_MAIN; ?> </div> <?php } include(DIR_WS_MODULES . FILENAME_NEW_PRODUCTS); include(DIR_WS_MODULES . FILENAME_UPCOMING_PRODUCTS); ?> </div>
 
Regards
Jim

Yes this contrib works to latest version of osC and PHP.
 
Note: If you can't find a proposed code change then it no longer matters ( ignore it ) I haven't yet upgraded the "changes" instructions but some are really not important to correct operation on newer versions of osC.

There is an add on that will pass the order details to paypal. I use this one but there are others.