I work in security/privacy/premium snake oil trade. Bank security (and software in general) is _usually_ a joke. The main reason for not fucking with a bank is the same why you wouldn't fuck with casinos, or the mob.
20+ years I had some security discussions with a major exchange in the USA. In the same building were offices of Goldman Sachs and another bank (Morgan or Merril, don't remember). Anyway there was a single thinnet (10base2 ethernet) that connected them to the exchange. Yep, a quick sniff showed that everyone could see everyone else's traffic.
My contacts were genuinely surprised that this was even possible. But also I was told there would be no contract if I mentioned this to upper management in my report.
Why wouldn't I, from the other side of the world, from the wifi connection of a coffee shop on the other side of town, bounced through a couple VPNs? It's one thing if I have to walk inside the casino, but the internet isn't like that.
No, that that bank on the other side of the world is likely insured by a company in the US. The global financial system is intricately linked, and the bankers and insurance companies effectively run the global economy. Given that, do you think it's really a huge stretch to think that three letter agencies from the US - the ones with documented capabilities to de-anonymize your VPNs if your OpSec is even a little sloppy - might get involved? Jurisdiction wouldn't be an issue if the bank asked them for help.
There are many ways to ensure security: one is technical, and another is investigative. The amount of resources a bank can bring to bear on you if you steal money from them is immense - IMO it's just best not to mess with that shit. It may have been true at one time that you could outsmart the banks and get away with it, but there are just too many smart people watching anymore.
My other personal analysis, from looking at banks in a third world county, is that you can't easily get away with enough to make it worthwhile. Sure, it'd probably be trivial to get money moved around inside the bank's own system. But getting it out from there seems to involve actual competent actors that aren't third world. Getting it out directly from the bank also seemed unlikely, because they manually check things for such low amounts.
The problem is cashing out. Any method of transferring the money to somewhere you can spend it (including Bitcoin) is going to require an identity. Not impossible, but certainly not as easy as Tor.
Decided to see if I could still log in to any of them about a year ago. Still could on half of them. I left that gig a decade ago.
Oh, and a few of them have no trade limits or risk management.
Boggle.