My understanding from the situation has been that banks don't care because in a checking/savings account, it's your money getting stolen, not theirs.
For credit cards with awful security, they don't care because the money they get from making it easy to sign up and use their services is far, far greater than the costs of dealing with fraud.
How accurate is this hypothesis of mine? It really can't be an education thing because I'm sure these companies have great engineers working there, both at the lower ranks and (at least sometimes) in upper management.
The vendors foot the bill for credit card fraud, and end up paying transaction fees both ways. I used to work for a company whose website was found by some entity in the stolen credit card ecosystem to be convenient for making small purchases to validate stolen cards. The bank / credit card processor was in a much better place to make fraud decisions, and yet somehow all of the risk was on us and the credit card processors actually made better profits due to the fraud. Incentives are badly aligned.
In most cases checking/savings account hijacking would have little or no loss to the customer (usually there is a time frame the loss has to be reported by and there may be a low minimum fee of $50 or so).
There would be no raw financial loss at the end of the day, but there sure is a lot of time loss involved for both parties. It gotta cost not a non-zero amount of money to deal with all those issues, while with a proper 2FA all those costs would be pretty much cut to zero.
For credit cards with awful security, they don't care because the money they get from making it easy to sign up and use their services is far, far greater than the costs of dealing with fraud.
How accurate is this hypothesis of mine? It really can't be an education thing because I'm sure these companies have great engineers working there, both at the lower ranks and (at least sometimes) in upper management.