because their customers chose not to care (at least, until shit hits the fan). A bank (or any conservative organization) will only really react, as it is too slow to become proactive (otherwise, it'd be by definition, no longer conservative! ala, google, facebook etc).
Because regulators don't do their job.
Private customers shouldn't be responsible for auditing their bank - instead, regulators should enforce fines for banking privacy and security breaches that are an order of magnitude greater than the cost of implementing the systems securely.
The banking rules should be so that even an immoral Scrooge would see proper security as the cheaper, cost-efficient way compared to screwing their customers with shoddy systems.
If a bank teller violates financial privacy by leaking his customer's transaction lists, it carries criminal penalties in many countries. Why should a manager who intentionally violates banking privacy of thousands of customers face less prosecution?
This is the real issue. Banks can certainly afford to hire qualified engineers; Santander apparently chooses not to.