Surely it's the banks' decision

The altruistic concern of the hackers for the banks' wellbeing is very laudable I'm sure, but surely it's up to the banks themselves what level of security they are comfortable with for their ATMs (or credit card systems)? They're the ones who take the loss.

It's a bit different if other people's property is under threat (eg. personal data) but in the case of pureless financial loss like this unless the hacker had the bank's permission to test the system it's quite unjustified to break into their systems just to prove a point or boost his ego. As an earlier poster noted, it's exactly analogous to breaking and entering into someone's home or office to illustrate how weak their security is.

(And banks do of course take security very seriously. There are all kinds of threats that they continuously watch out for and protect against, some more obvious than others.)