They could put it through without a CVV code, but then they take a risk if the customer queries it, ( although the bank would also have to allow it through as not suspicious)
For example Amazon never ask for the security code even for a new card.
That would depend an many things. If an authorisation code is required then reusing an old one isn’t permitted in most circumstances, there are ways some companies do, but whether or not that abides by the rules can be argued both ways. However a live authorisation code is not a requirement for processing a transaction. So providing a company is only submitting transactions within the limit agreed with its bank/acquirer there would be no need to live authorise a transaction under a CPA, thus no need for a CVV. That is the reason some companies will often process numerous small transactions under a CPA, lots of talk about stopping that, but that is going to be hard to stop.