Sounds like one of those cases where convenience trumps security for business users and the engineers keep their palms close to their faces.

There is a payment provider in Europe that has become rather popular, who implement "instant" payments by asking for your online banking credentials... Security best practices always go out the window when they interfere with the business case.