There is no security
While PCI DSS compliance may help prevent some attacks, it, like everything else, does not guarantee security. Since processors must accept unsolicited data from untrusted sources (sources they do not control and therefore cannot be assured of anything), and because they use general-purpose software running on general-purpose operating systems which themselves run on general-purpose computers, there is literally no way to guarantee security. There could be any number of vulnerabilities in the hardware itself, the OS, the apps, the communication medium, or through social engineering. That said, they (in theory, at least) do cut down on the possible exposure to known exploits.
Simply put, people have to realize that compliance does not guarantee security, especially since the processors are only audited (tested) once per year. McAfee's "hacker-safe" tests sites every day, and even that doesn't guarantee security. It just means that the sites are protected against known exploits.
re: Disingenuous -- "Visa does not supply a one time tokens, banks do... They need to provide a one time token for their Visa cards..." Your argument falls flat on its face when you realize that Visa does not provide cards, the banks (the ones lending the money) do. They (the banks) are the ones who decide what type of cards to use and what level of security the cards use.
re: "Retrospectively decertifying them on the grounds that 'Oh, well if they got hacked they must not have been secure after all', merely points out that the original certification process is worthless and guarantees nothing." The article mentions nothing of the sort. It does, however, say ""Based on compromise event findings, Visa has removed Heartland and RBS WorldPay from its list of PCI DSS compliant service providers", which is something very different. Most likely, it means those processors were storing data they are not allowed to store, or the findings showed that they did not have the proper protections in place. Since they don't explicitly say, we don't know why the processors were decertified. However, as I pointed out above, even full compliance is not a guarantee of security.
Simply put, there is literally no way to guarantee security. Ever. Period. You can do a lot of things to lower your risk, but there will never be guaranteed security. Once you accept that, then its time to move on to try to find a balance between acceptable risk and inconvenience and cost.