Anecdotal and only related to your last paragraph, but as a security researcher I can say that 99% of the time attacks on a personal bank account are never "long term." Most of time, regardless of skill, hackers get in, cash out and disappear. It's far more lucrative (and generally safer) to empty the account than try to blackmail someone based on spending habits.
I happen to know of a bank exploit in which the attackers compromised one thousand online accounts, and attacked all them (transferring funds) on the same day.
Presumably the attackers were worried that after several transfers the bank would notice and block further access, so they kept a roster of compromised accounts to attack all at once. I suppose that a password rotation policy would have helped mitigate damage in this case, though something like fail2ban or automated IDS would have been better.
