That's the point. The device being compromised to the point that malicious code is actually meddling with the bank app is the only time that having it fail attestation would be useful. The other cases are useless/vexing false positives. But attestation doesn't happen in the one case it would be useful because then the attacker-controlled code won't even attempt to do it, it will just exfiltrate the user's credentials to the attacker.