They are also violating the terms of their contract if they make fraudulent transactions on your behalf (to put it mildly). Which is why we're not worried about above-board merchants committing outright fraud, but we are worried possibly internal security holes through which your credentials may leak. The CVV2 is on their hardware while the transaction runs, which makes it vulnerable to unauthorized internal snooping.

I don't know how merchants like Amazon handle fraud, but they don't use CVV2 because they don't bill you until items ship.