[slg]

In their defense, being able to successfully identify a customer is who they say they are is a difficult problem that is only compounded when you might only speak to a customer as infrequently as every few years. 2F devices and codes can be lost. Passwords and pins can be forgotten. Answers to security questions can change. Have you ever tried to access your own account with a company like this without this data? There are few things more frustrating than being locked out of your account because you can't recall what you said your favorite movie was in 2012. Throw in the low odds of actually being targeted in a social engineering attack and companies optimize for customer satisfaction and convenience over security.

Blaming companies for responding to that incentives isn't going to accomplish anything. The way to fix things is to change the incentives by either increasing the punishment for falling for social engineering or create a system that makes it easier to remotely identify people.