If the transaction seems low risk, issuers will often approve the transaction with a wrong expire date or cvv but will tell the merchant it was approved but be aware the wrong security details were used. BA obviously have it set on their own system to void any transaction with incorrect details. BA were a bit stupid doing this as they wouldn't be liable for an approved safekey (3D secure) transaction even if it was fraudulent.

This very much varies by issuer (and I think Visa Europe decline all transactions with an incorrect cvv)

While not the case in this instance, sometimes the CVV can't be checked either and the issuer will return a message saying so but I don't think a merchant can decline a transaction for this reason. This can sometimes happen when an FI (usually small credit unions) are using the card networks stand in procedures (where the network is approving the transaction on behalf of an issuer), usually because they are doing routine maintenance or experiencing technical issues. Often the card network won't know what the CVV (and in some cases the PIN in countries that use a certain method for PIN verification)