Usually it's a bit more complicated than that, and a reason why it's a big problem in the US is we don't have good ways to reliably gauge identity. SSNs got pushed onto everything because it's actually the only thing everyone has. Everything else is fragmented and optional. DL? State-to-state, fragmented, optional. Passports? Very optional, and expensive. Phone numbers? Much more universal, but the telephony system is not secure by any means. Usernames? Passwords? Well, we all know those aren't perfect security measures.
Right, we have various add-on solutions because the core problem is unsolvable. How do you identify every person in the US? You can't, SSN is the only way to even try to do that. But SSN is just a number. No picture, no description, no renewals, no nothing.
So then we bolt-on these solutions to try to get it to work. The issue is we have multiple costs here - we have to balance security, but we also need to make sure customers can get their money most of the time they need to.
I recently signed up for Apple Enhanced Data Security or whatever it was called. It made it very clear that if I lose my password, my data can never be recovered. Ever. No email address can help, no recovery mechanisms. It's sealed and done for good. I'm tech-savvy and I can live with this. Can Nana? For my money, no.
We do things like security questions because they're easy and people understand them, and people use them all the time to recover accounts. Same reason we do SMS - everyone has a phone. These are imperfect solutions because perfect solutions have other issues. How many people will be locked permanently out of their bank account? How will the bank deal with those lawsuits?
An individual couldn’t pull that in any other transaction.