I'd expect that the attack vector banks face most is that oblivious users simply give away passwords through phishing schemes. And banks with reasonable security don't rely on passwords (alone), but on some kind of token generator, in which case such a phishing scheme which directly transfers money to the attacker is the only option (any keystrokes captured are useless after x minutes).