Nope, it is not a security flaw. Its instead enhances security. The following 2 cases illustrate why.
Case 1: OTP is only received only if CVV is correct:
Since CVVs are commonly 3 digit numbers, it easy to crack - only about 1000 possible combinations. The hacker may try all the possible combinations since cracking this wont take much time. So you CVV can be considered hacked once you get your OTP. Now the hacker has to only crack your OTP which is generally (~ 6 digit number = 1000000 combinations). Total number of combinations needed to hack your account 1000000+1000 = 1001000 combinations. Not much time will be required to generate these many combinations. Hence the card can be hacked easily
Case 2: OTP is received even if CVV is incorrect
In this case, you need to get a combination of CVV (3 digits) and OTP (9 digits) correct. Thus the total number of combinations are 10^9. This is about 1000 times the combinations needed in the above case. More number of combinations => More time required to crack and thus hard to crack.