Re: IPSEC tunnel now active when Static route on WAN connection is larger than primary
I'm assuming you meant "static default route" by "static route".
My first suggestion is if the IPsec peer public IP is static (not dynamic), setting /32 static route for the peer IP toward the DMZ port, so that regardless the priority/distance of the default routes to the WAN2 and the tunnel, the tunnel always comes up and stays up.
If that's not an option, the second suggestion is to set a low "priority" on the default route to DMZ (higher number of priority) to the DMZ port. It might not establish the tunnel from local end, but since it's still in the routing-table if the other side's tunnel establishment attempts would be returned to the port it came in (DMZ port).
You didn't explain how you want to utilize two default route paths; WAN2 and Tunnel when the tunnel is up. But based on your distance settings they would load-balance with ECMP logic.