Shame they didn't look at third party scripts loaded by the sites. that's where most malware comes from after all. I recently noticed that Halifax's account pages try to load scripts from advertisers, even within the login page. No ads are displayed on those pages, but the tracking scripts seem to have been added to all pages by default. I logged a complaint with them but the support guy didn't really understand the issue, so I'm now looking for a new bank.