I was thinking about the same thing! Although the original QR code spec did allow binary payloads[1], smartphones and cameras weren't ubiquitous in mid 90s. But they are now. Transmitting computer virus or malware within the QR code binary payload might just be as easy as pointing your camera lens to the QR code. Since the QR code image is only machine readable not human readable, it would be indistinguishable, neither any digital signature to prevent it from being altered.
[1]: https://en.wikipedia.org/wiki/QR_code#Storage