Why is it so easy to infect a portable app.exe?
Well, there are several ways of infection, by including the overwriting of the code, replacing the files, adding code and breaking the code.
There are techniques of overwriting, which are very effective, because the change is permanent, and the file is corrupted
Any executable, when it is memory-mapped, has an EP (Entry Point) from which the execution begins, then it is possible to overwrite the one that is there, to the EP address.
Sure it is necessary to obtain this address.
All of the executable files have special headers that contain information, including an EP address.
For example, by entering a a shellcode that uses SEH, it runs the code. The Structured Exception Handler (SEH) is a mechanism that was implemented to mitigate the abuse of buffer overflows.
As you have already understood it is not difficult to create or infect a portable app, it is enough a good knowledge of programming in C\C++, Assembly and a knowledge of the general Windows architecture.
For this reason, you need to download these apps from reliable sources, and sometimes also the official manufacturer's website offers the portable version of the same software.