I'll give you accessibility. I tried changing images in the browser on the fly and it just hides the image. That's probably because the browser would need to make a new GET request.
Maybe? You'd hope, but who knows. Still easy to just replace the image with plain text in the HTML, or a data URL (if allowed). Or put an iframe in there. Point is, if they control the HTML they can do pretty much anything.
Edit: Just tried it with Chase, Merrill Lynch, Citibank, Bank of America, and Wells Fargo. Only Wells Fargo had a CSP in place to prevent this. But even Walls Fargo let you just inject a data URL image.
Systems that these banks have provided are provided for feasible access to your account.
They are not in any way interested inn tightening of fortgaurding their portal's rendering, until it ends up causing them to give more money i.e. bad for business.