Your registrar has the right to manage a subzone of the DNS namespace. For ccTLDs (country-code top level domain, for example .us) this is mostly one, for gTLDS (global TLDs like .com) there are multiple.
If you tell your registrar your own DNS, the registrar will define a new subzone for the domain, and delegate the DNS resolution. Everytime the information in the DNS is updated, it polls the DNS above it that the information has changed. This will mostly be the registrars DNS. The registrar in turn will forward this information to the different root DNSs.
Now to your questions:
- How secure is this process?
This process isn't very secure, since the system wasn't designed with security in mind. It basically trusts that whatever information it is given is correct. So if a rogue registrar wants to take over a domain, it just has to make sure the root servers have the bogus information and not the correct one. This information can easily be spoofed. Normally a registrar should check for this, and only update records for their own subzone.
Even worse are the responses, since, when the root server receives information, every DNS accepts every answer they get. Which means it isn't that hard to redirect, for example, Google to a bogus IP. This is why DNSSEC was invented, so responses can be cryptographically signed.
- Can any registrar update my name server's root?
Do you mean that any registrar can pretend to be your DNSs master server? Every DNS should be able to poll data from your DNS, but that shouldn't be a problem (minus the spoofing mentioned above).
- What security provisions are in place?
Trust, if you can call that a security provision. :) If you don't believe in trust, the rollout of DNSSEC is currently underway. It doesn't solve all problems DNS has, but at least a few. It mainly allows DNS responses to be signed, so it isn't that easy anymore to spoof the corresponding IP. It is, as far as I'm aware, still possible to poison the cache of the individual DNSs.