This is a sentiment often missed by the security community. Good security is good to have, but if it makes the service unusable, it's worthless. And when it comes to the general public, that's a low bar set. Banking PIN codes are laughably poor security, but in general they do quite a reasonable job - people get their banking done, and the banks haven't collapsed in a heap due to PIN-based security violations.

This being said, the banks are also in the unusual position of being able to effectively insure themselves against relatively small losses (to them) in order to keep confidence in their business high.