DNS resolvers choose the name server to obtain the answer from randomly. There is no difference between primary and secondary NS servers from this point of view.
If you have 2 NS servers and one is compromised in any way, there is roughly a 50% chance that the caching DNS server asks a compromised NS server. When it does and gets a spoofed reply (possibly pointing to malicious target), it will remember such reply and return it to all subsequent queries for the same DNS name until the TTL of the reply expires (which can be realy long, like several days, if the attacker is clever enough).
If the visitor of such site uses a properly configured, DNSSEC-aware recursive resolver (caching DNS server) and the example.com domain is signed with DNSSEC, he is quite safe.
The DNS resolver verifies the answer from authoritative name server against the DS records from the parent zone (in this case the .com zone). If the answer is spoofed, resolver returns and error (and does not cache the wrong answer). Only if the cryptography used for signing the DNS zone in question (or any of the parent zones) is broken or the secret keys are known to the attacker, only then he could spoof such DNS reply.
