If your computer is compromised with malware, someone else is calling the shots, so it doesn't matter what other security measures are in place if there are transactions that rely on the compromised computer for processing and transmission.
Using two factor authentication with a one time code defeats the vast majority of attacks, most of which use stolen credentials. Even if the token is stolen, (assuming some numpty has not scribed the pin on the back) there is still one piece of information missing and the device locks out after a number of incorrect pins.
One down side is that if the computer was compromised at token registrable time, the pin is also disclosed, but the attacker still has to target and get the token, which if missed, would, I presume be cancelled the same as a missing bank card.
Compared to secret words, numbers and pick lists, using something you physically have, something you know and generating a one time code is a big step forward in security for on-line banking authentication.