I suspect this because, every time there is competition between innovative features that are nice for users, and ensuring security/limiting exposure and attack surface, the latter concern wins with little discussion.
What I mean is, if they implement a new whiz-bang feature, the best case is that people complain a bit less. But if their new feature opens up an attack vector or social engineering opportunity, they may suffer serious financial loss and very bad press.
I'm not asking for whizz-bang features, just a lack of the busy, overengineered sort we tend to see.
Heck, First Direct is one of the better banks in this country, but their website popups deliberately hide browser chrome including the address bar, which is just obviously terrible for security. But that's something that must have been deliberately added.
I have had poo-flinging contests (in banking) with external "security experts" (i.e. grads with a 3 ring binder from accountancy firms) who think ripping out the chrome is a todo on the required security checklist.
Programmers don't decide the UX. And any decent-sized bank will be pulled in different directions by:
1. The standard "enterprise problems": strategic partnerships dictating toolsets and so on.
2. The standard "big company problems": many business units acting as fiefdoms who will be arguing over how much real estate they need on customer-facing channels.
3. Tensions between customers who are scared of "money" and "online" and want everything locked down vs customers who want the latest whizz-bang everything.
4. Regulations.
5. Customers spanning a range from high-value rural farmers with vast sums of agribusiness who are stranded on dialup (yes, they exist), customers who do their banking on whatever their work PC is (XP and IE6 is still a thing - out biggest surge of the day is the 9 am rush when people log in from work to do their banking), through to customers who want the latest and greatest HTML5 webbery.
Saying, "fuck it we only support WebKit and high speed internet" is not really an option.
If banks are full of competent programmers, why are their customer-facing online banking websites so utterly, utterly terrible?