Banks are notoriously bad about updating their technology practices. They didn't really stop using DES in their ATM's until it was required by law that they update to 3DES in 2002 (DES encryption has been theoretically broken since the 80's and practically, that is it was done in something like 17 days, broken since the 90's). For them, the potential losses from java exploits just don't outweigh the price of switching the infratstructure in place.