Note that I can only confirm this in Sandbox, haven’t moved this code to production yet. Using the web-payments api, the verifyBuyer() function does not generate an error when an invalid verification code is entered. Instead, a verificationToken is returned that, when passed to the backend payments api or the createPayment function) fails from an invalid verification.
The failure of the verification (entering a bad verification code) should throw an error once all attempts have failed. The process should not continue to the backend or the createPayment() function within the api. Errors should be caught and handled at the earliest known point of failure.
You should have a link to a bug reporting system so this type of thing doesn’t get lost in the forums.
Currently, the guidance is to not gate taking payments based on verify buyer themselves, and instead to include the verification token with the payment. By submitting as many payments as possible to the gateways, we aren’t blocking payments and letting the issuer decide whether they want to authorize given the authentication result. This feedback is much appreciated and we have shared it with the team. 
Not sure how to respond to that… Seems pretty useless to pass a known bad verification to the back end when the error can be caught on the front end.
In fact, your own documentation says it will generate an error.
If all verifications are sending an email with a code to be entered, then entering a bad code is definitely an error that should be caught and detected.
You definitely raise a valid point. I’ve shared your feedback with the team. There is definitely room for improvement.