Yes and who cares? It still is not secure. Anyone who gains the virtual card number can use it and the merchant system can charge arbitrary amounts of money to it.
A payment system that wasn't cooked up by weirdos would include actual security features such as your phone's display shows the amount of the transaction and you enter pin or password or other knowledge and your phone signs the transaction. That would be nonrepudiable and you could clear such transactions at negligible cost because there's little risk.
Square, which isn't exactly winning out there, at least does include a modest security feature of displaying the picture of the authorized card user on the terminal.
I wasn't commenting on the security, just on the "blurts the magstripe information" comment. Apologies if you meant that metaphorically.
As for the rest of your comment, I don't think you're doing any risk modeling.
I have $0 fraud liability on all my cards. When fraud occurs, it takes a couple minutes to dispute a transaction. Even when it was a debit card, my credit union immediately gave me a provisional credit for the disputed amount while they investigated. The total cost to me for fraud is no more than a few minutes of my time. I have little reason to care about security.
Banks care about profit. What makes you think they haven't considered tighter security measures, and found that the cost of implementing them (including the inconvenience to consumers and resulting lost revenue) outweigh the savings from reduced fraud?
That doesn't make any sense, no. Instead, they skip the secure element and transmit something non-standard (...by buying a bank and routing those through that, essentially acting as a proxy to the card networks?):
