This also happens for me, UK, Bank of Scotland. Actually I find it to be a feature as I have my card number memorized and whenever I need a replacement I only need to remember 5 or maybe 6 new digits (including the three CV2 digits). I wouldn't really call it a vulnerability due to the CV2 being randomized and the fact we have chip and PIN over here.