PCI is pretty clear about storing CVV/CVC2 - never store after authorisation.

Consider:
Transaction log, where the PAN is masked (6.3), may also contain CVC2 (where it was submitted, and Acquirer accepts it).

If the CVC2 value is not (trivially) correlatable to PAN, does it matter?

Section 3.2.3 is pretty specific, as is the table on Page 4 of the audit guidlines.

Based on these, I can't see any option but to say yes, it does matter - and thus non-compliance is the result. Code changes are going to take a while, I think.

Any compensating control considerations, other than overwriting the transaction log file after a day or two?

Lyal

Actually 3.2 is the only requirement where no compensating controls are accepted. If this data is stored post authorization - even for a "day or two" or any period of time you are not compliant. I would hit your vendor up for a fix ASAP.

This is true, compensating controls can be used for any PCI DSS requirement EXCEPT 3.2.x.