First mention I've seen of 3-D secure here. Good research.
Anyway: Visa does not impose the authentication method on the issuers; the issuers can do this in any way they prefer (within certain limits). Some use "web shopping passwords", some use one-time passwords, some use a SMS or email solution, some tie it into the online banking security platform, some use national ID.

Also, many of the current gripes with 3DS are being worked on; for instance the iFrame/domainname issues.

Keep in mind that 3DS (VbV/MCSC) does NOT entail any other kind of fraud screening (name matching, etc.); it is an authentication system ONLY. And, for the time being and for most card products, if your card is not enrolled by your issuer (voluntary or not) you won't be asked to authenticate, though you will sometimes be redirected to a component of the 3DS chain to check your enrollment status.

For the merchant, it's simple: Attempt to authenticate, and liability for fraud is shifted to the issuer. Card not enrolled? Not your problem. Card enrolled? Authorize if authentication OK, otherwise don't.

But as many have said: This is not primarily done for the cardholder. It's for merchants (lower risk -> more/happier merchants), banks (lower risk -> lower cost, more merchants -> profit!) and the card companies (Visa/MC, less fraud -> less brand damage -> more shopping -> profit!).