Most/all banks I know have 8 character passwords, useless pins as a fake primitive 2FA, and many similar practices that would make any sane developer scream.
Banks are not exactly a paragon of "doing it right". Actually they are one of the most prominent examples of "patch together some badly coded stuff, if anything breaks we don't really care".