Because in some cases they are.

Many banks (I work for one of them) follow reasonable best practices, allow or require strong passwords, store them safely and require sensible second security factors. Others are decades behind in security, using nonsensical security schemes like the ones morgante and mng2 described above or requiring your password to be letters and numbers only between 6 to 8 characters.

If you care about security, stick with the banks who do as well. Make sure their password guidelines are in order, go with the ones that make you use a second factor, and if you ever see any hints they're storing your password in plain text, run.

Hashes are meant to secure the password in the event of a db compromise. The 3-try-lockout thing is useless if you have the hash.

You're conflating completely different kinds of security.

Banks are good at not losing money.

But website security is an afterthought for them.

It's easy to make a website that has better security practices than a typical bank website.

It's not about having better skills or resources, it's about having the motivation to do it in the first place.

A bank could set up spectacular security, but that doesn't mean they usually do so.

I'm guessing you've never worked in IT, but security is a joke in the entire industry.

Everybody knows that we are hopeless at it, and often the flaws that are exploited are just as simple as this.