Bank security litmus test...
Here's my litmus test to determine if a bank might truly care about security:
1) Is there a way for customers to report security issues, and
2) How quickly does a bank patch known issues.
1.
As a customer I have found several (sometimes major) security issues with some of my banks. I have dutifully called customer service every time and it's always been the same: the customer service reps do not have a procedure to report my findings internally. My conclusion: the bank does not truly care about security.
2.
Even though PCI-DSS should not be mistaken for a solid security policy, it does require that CVEs rated 4 and higher be patched within a month of the availability of a patch.
Remember POODLE, Heartbleed, et al? Under PCI-DSS these should have been patched within a month. However, many (major) banks took six months or longer - even though the public could see (e.g. through SSLLABS) that they were failing to do so.
Had these banks truly cared about security they would have had processes and architectures in place that enable them to actually patch in a timely fashion - at least the front end.
Biting the hand that feeds IT
