Because the 3ds system is ideologically created wrong, and the services have the right to decide for themselves whether to request an sms code (usually at the first client's payments) or not. Until now, there are online stores (but there are few of them, I have not met) that do not request sms at all.
Why is it wrong, because this system only makes sense as a protection against unreliable payment acceptance services. It is very wise to ask a swindler whether he is a swindler or not.

Large businesses take on the risks of jambs without 3DS and thus receive a bonus in the form of faster debiting of funds (no need to wait for SMS).

Paypal does not take any risks, it transfers all the risks to the seller.
Tell their experience with PayPal as a merchant (i.e. seller). Agreement with PayPal for legal face.
worked with paypal for about 1.5 years.
In case of fraudulent actions (someone apparently bought a database of spoofed accounts), Paypal simply cancels the payment, returning the money to the client. He does not care at all that the goods have already been delivered to the recipient. When you call support, they just say that these are your risks, read the contract.
In one of the months, there were more such fraudulent payments through PayPal than usual. And what did PayPal do? They simply terminated the contract with us without any warning, etc. and blocked the account balance for 180 days.
Apparently, the logic is such that since all the risks are shifted to the seller, then there is no need to deal with scammers.