They can't. With most banks and even PayPal, their site is secured by HSTS which renders their site completely unusable with no way to get past the warning.
Your only option is to use a _different_ browser which trusts the old certificate.
You are right, but there's always a chance that the various documented HSTS bypasses might filter down to normal people. People might be willing to find and use them if they /really/ need access to the site.
e.g. Typing "thisisunsafe" in Chrome on the error screen, or flushing the HSTS state in the browser.
Your only option is to use a _different_ browser which trusts the old certificate.