The paper recalls a perfect example from one of its authors -- the official 3DS page is served by securesuite.co.uk for some UK banks, so he calls his bank and they tell him it's a phishing scam. Yet merchants are expected to do this, lest their chargeback rate climb too high and the account be terminated.
I've only encountered 3DS in the wild once, and only after registering a card for it in the process of testing my own implementation. It only took two days of running VBV and MSc on one of my websites to see that it would be completely economically infeasible -- doesn't matter if I'm protected from chargebacks if it means half my customers abandon checkout out of fear and confusion.
I've had a real hard time handling card-not-present fraud on my websites. I sell packaged self-service advertising services on one site, and it's highly targeted by the do-no-goods that want to use it to push traffic to affiliate sites and phishing scams. They use stolen credit cards to buy the advertising hoping to funnel good money, or more stolen cards, from the traffic back to their accounts. I still have one merchant account in limbo (bank holding 6 months worth of payments) from spending two years working on fraud detection methods to battle this. I only got chargebacks below 1% through geolocation, country blocklists, proxy detection, my own and 3rd party blacklists, minfraud risk scoring, in-house risk scoring and pattern matching against past fraud, and phone verification of all high risk orders.