I've worked at a large traditional bank (market cap and enterprise value are both around 100b), they also allowed firefox as well as js, at least for developers (I don't know what it looked like for non developers).
It's this sort of attitude that makes sysadmins so incredibly popular among the masses.
Hint: if your environment feels like a concentration camp, users will find ways to work outside of it most of the time - which will be even more disastrous.
That's a fair point when literally hundreds of millions of dollars aren't on the line. It's not hard to properly secure your system from all manner of internet threats. There's no excuse for crypto exchanges not to implement such measures.
If hundreds of millions of dollars are one JS exploit away, the defense model is flawed. That sort of movement should require approvals from multiple people and even dedicated terminals that are not used for everyday browsing.
Security is a tradeoff; nuking browsers for everyone is just a bad tradeoff in 2019.
I don't know, maybe because they need to get work done...? Even traditional banks allow JS.