So? Linode is in a better position to prevent misuse of my VPS than I am. They can cut it off from the network and they have staff which would notice if it suddenly sent 40,000 emails. Does that make them liable if my server gets rooted because of software I install (say Apache 1.3.1 or something) and whoever rooted it installed a mail server on it to send spam from?
I don't see the analogy here at all. The whole point of Linode is to allow you to take responsibility for your own random software. The point of bank security --- in fact, a good part of the point of banks, period --- is to limit access to your funds.
Imagine if instead of passwords, the typical bank required a four-digit PIN. Imagine the bank did everything reasonable to meet best practices standards for validating PINs (for instance, requiring reset of PIN after N incorrect entries). Would anyone think it was reasonable for a bank to stake an entire business cash flow on a four digit PIN?
In 2011, the password is only marginally more secure than the PIN. That this is for reasons outside the bank's control is no more relevant than it would be with four-digit PINs.
The bank should in all cases be responsible for deploying electronic security measures generally recognized by those skilled in the art as reasonably effective. The bank is in all cases responsible for taking "due care" with the security of its accounts. Leaving them exposed to wild high-value money transfers should, and probably does, contravene the due care standard.
