They shouldn't be storing any CVVs according to security standards anyways. If your credit card allows purchases without the cvv that feels like it's on them.
They're probably not.
When you take a CVV on a first payment, you exchange it with a card issuer for a token to use in subsequent transactions. The CVV is not stored.
Refreshing of the token is down to card issuer policies.
The merchant (Sony) could also force a refresh if it detects fraud on its end. And perhaps they should do so, or do so more robustly, if it detects a machine change or whatnot.
However, Sony is right in this instance that it's a matter of fraud rather than account security. At some point the system has to accept you as an authorised user, and there's no exploit or vulnerability here with regard to the user authentication side.
If you wish Sony to be more paranoid than they are about what an authorised user can do, then be more paranoid yourself - don't allow it to store payment data.
edit - side note, I'd be curious to know if Amazon forces a token refresh - cvv re-entry - upon purchase of
digital goods from a new machine, as opposed to upon delivery to a new address.
edit 2 - re-reading the description, it sound like Sony does intend to refresh payment tokens when it detects a new machine, but that the cvv re-entry for this can be bypassed. Irrespective of whether the token refresh is required by the card issuer in these circumstances, if Sony intends to do it they should probably make sure it works properly! But unless card issuer policy requires that refresh in these circumstances, this is a failure of their own extra paranoia rather than a standards breach.