Chip and PIN as a protocol is broken, precisely because of the design considerations I mentioned. If the protocol were designed for security above anything else, it would be more like the CAC / PIV model used for US DoD and government ID cards.
The problem with chip and pin is that the system actually trusts the cards to be giving proper information, instead of doing asymmetric key verification with a central server. While the US is doing it worse by going with chip / sig, nobody is doing it right.
