Good article. Maybe this will help them?
I too have had concerns over the security of banking websites. I'd tested Santander with SSLLabs a while back and it scored badly. It was near impossible to get anyone at the bank to listen to me, although it does look like they are listening now as the score has improved. Conversely, I reported similar SSL vulnerabilities to my investment platform (AJ Bell) and had a phone call back almost immediately from their Security Officer thanking me for my concerns and assuring me they'd address them. They fixed the issues within a week. Kudos to them.
So, it can be done, and HSTS is really simple to implement too.
El Reg, maybe forward them all this article from the reknown Troy Hunt?