Because regulators don't do their job.
Private customers shouldn't be responsible for auditing their bank - instead, regulators should enforce fines for banking privacy and security breaches that are an order of magnitude greater than the cost of implementing the systems securely.
The banking rules should be so that even an immoral Scrooge would see proper security as the cheaper, cost-efficient way compared to screwing their customers with shoddy systems.
If a bank teller violates financial privacy by leaking his customer's transaction lists, it carries criminal penalties in many countries. Why should a manager who intentionally violates banking privacy of thousands of customers face less prosecution?
The banking rules should be so that even an immoral Scrooge would see proper security as the cheaper, cost-efficient way compared to screwing their customers with shoddy systems.
If a bank teller violates financial privacy by leaking his customer's transaction lists, it carries criminal penalties in many countries. Why should a manager who intentionally violates banking privacy of thousands of customers face less prosecution?