Theories:
1) it's not embossed, so employee crooks at stores swiping cards with carbon paper don't get the CVV2 number.
2) it's not part of the hashing function within the card's primary 16 numbers, so even if you use a credit card generator program (trivial to write), you can't get correct CVV2 numbers, since only the card issuer has it.
3) merchants aren't supposed to store CVV2 numbers? So if their databases are hacked, nobody gets those? No... because I know Amazon and many others do.
I don't really think (1) and (2) happen much anymore compared to databases being hacked (3), and since everybody just puts CVV2 numbers in their databases, how does CVV2 really help?
Enlighten me!