An insecure page can be MITMed. The landing page is insecure. The links from the landing page to the login page can be redirected by an attacker to go to the attacker's login page. Links on HTTP pages cannot be trusted. NOTHING on HTTP pages can be trusted.
Buying every domain name that could possibly be confused with yours would be unnecessary in this context if you fixed the issue of an attacker being able to redirect to another name.
(Banks should also protect against easily phishable domain names but that's a also losing game, and in that case the technical solution is not as simple or complete).