The worst aspect of QR codes as menu replacements is that they are a huge security risk. Who’s to say that QR code is legit? You can’t tell from looking at it. The trouble is compounded by the common practice of restaurants using some third-party service hosted off-site. The domain is no longer a trust signal either. It’s only a matter of time before someone starts snarfing information or credit card numbers this way (scan here to pay your bill).
Most of the places I've been to just put their menu on a website linked through QR code, but still take orders and payment through staff. I've been to one place that doesn't do this but only one.
But if a malicious QR code led to a website that asked diners to pay for their meal at the point that they ordered it, how many of them would?
Setting up a scam payment processing account for that doesn't seem worth the effort when it's going to be reported for fraud basically immediately.