I wish journos looking for a comment would start off along the lines of "We'll take it as read that you'll say customers' security is important to you. Given $cockup can you prove that?" and then follow up the next anodyne waffle with "That's a no, then.". And report that as "$wankers were unable to give us any meaningful reassurances.".
In the meantime it's long overdue that banking licences were dependant on maintaining security to top standards. The regulators should run tests for against each new vulnerability disclosure that might affect the web site. Any bank found with its site not up to date with its patches would be given no more than 3 days* to fix it or the web site would have to be taken off line until remedied. This would mean that maintaining security would become an essential part of doing business, as it should be, instead of an expensive option, which it all too often seems to be.
And while the regulators are about it, financial institutions should not be allowed to let 3rd party marketing companies to send out emails purporting to be from the institution but actually from some other domain, with out of domain links, reply-to etc, again to be policed by the regulator on pain of fines that would wipe out the marketing department's salary budget for a couple of years.
*Possibly over generous, especially if a patch has been made available prior to disclosure.