Not the best of articles.
Firstly, HSTS is not "a cryptographic technology", it's HTTP Header signalling used to tell the browser to only connect via HTTPS next time.
Barclays domain doesn't support Forward Secrecy, which they "absolutely should". "There is no reason not to"
Well, given CPU decrypt I would agree, but most banks will offload these to crypto cards (Generally on an ADC, perhaps with a FIPS card / NetHSM which makes PFS much less of a requirement in that the key is very well protected), and a good number of those don't support PFS ciphers. Not to mention depending on architecture lack of PFS may be very helpful for IDS type devices.
"The most crucial thing the bank has missing is a HSTS policy which, for a secure website using HTTPS, is an absolute requirement."
Well, it's clearly not an absolute requirement, as the site works without it. Good practice, sure.
Not saying that the banks shouldn't up their game, but there may be perfectly good reasons not to support PFS