It wouldn’t need a separate app if, for instance, a standard QR payment format way created. If you just want a link to a website to pay, then naturally that would be less secure, but you could always put the URL below the QR code for redundancy (QR would only save time typing then).
Because you can make it so that the required certificate/signature has to meet certain criteria to work. For instance, imagine there was a PayPal equivalent type app for paying QR codes, and they required all codes to be signed by one of their business customers (who they have on file). Or with a certificate they themselves issue their customers.