This is about a very old site running WP 2.6.
It has not been properly maintained. There are 56000 spam comments as of today.

My job is to take care of this site, remove all spam, upgrade wordpress to newest version and add spam-control.
So I add spam-control, change admin password - and still comments keep coming in as approved!?
The site has only one administrator account, but lots of "user" accounts (it belongs to a webshop). But there are no other accounts with admin privileges, this I have checked in the database/mysql from cli.

My question number 1, to put it simple:
*How can comments be approved without admin approval*???

Question 2:
Am I doing the wrong thing here, just trying to upgrade & secure this site? Is it really possible to make a wp-site this old secure?
Maybe I should just rebuild everything from scratch - but then, the owner doesn't have the money to pay for that...

Apologies if you've thought about this already, as I've no direct knowledge of Wordpress, but couldn't you back-up the database and files, install the latest Wordpress and restore the backup?
http://codex.wordpress.org/WordPress_Backups

Yes, I could do that. It might be better/safer than just upgrading?
But if somebody succeded in hacking the old site and I just restore the old database to the new site, doesn't that mean he'll still have access?
If that's what happened?

the benefit of re-installing is that if somebody left a rogue file around you will be removing it. It's a good point about the database though. I'm afraid, as I said, I've no experience with Wordpress but hopefully somebody who has is reading.

In your WordPress dashboard, go to Settings-->Discussion.

That's where comment settings reside. The default is to allow comments as long as user provides an email address.

On my own blog, I allow comments, but close them on a post after it is seven days old, and I use Akismet. Closing comments after seven days was a recent decision which has done wonders in reducing the number of spam comments which I receive. I also close comments on all "pages."

Akismet captures almost all spam comments and puts them in a special place where you can review and delete them. Just overnight last night, Akismet quarantined 62 spam comments (If you want to see my blog, the link is in my profile.)

In the years I've used Akismet, it's missed fewer than a dozen spams. It's so reliable that I don't even review the comments it marks as spam any more; I just delete them.

Also check the "Comment Moderation" area in the "Discussion Settings." You can create special conditions (number of links, keywords, etc.) that send comments into the moderation queue.

With judicious use of these rules, I have been able to avoid forcing all comments into moderation at my own blog.

I do not use third-party comment systems, such as Disqus. They are annoying.