I work at a large bank and a majority (if not 98.98989%) of the employees are morons. This doesn't surprise me one bit. I hope we find out which bank it is, I would bet money on it being the one I am employed at. Banks do security through obscurity and worry more about COMPLIANCE than they do actual security and that is a fact.

I also work at one of the top tier banks but I’m not quite as doom and gloom as you. (Maybe I’m one of the 1.01011% – finally!)

It’s certainly true that some security practices within our organization seems more like security theater than anything else, but overall I think they have pretty reasonable standards and requirements set. It is very true though that the culture is almost entirely focused on compliance more than anything else, so there’re few proactive measures taken by teams. Lord knows no team I’ve ever seen outside of security wants to budget for it. Maybe it’s a damned if you, damned if you don’t kind of situation. If you don’t set compliance regulations you’ll get no security (move fast and break things, yay!) but if you do you end up with people ticking boxes saying “the thing is secure and stuff yo” and then play the blame game when it isn’t.

My feeling though, having worked with top tier banks in the financial industry for the last 8 years or so, is that more people are competent than not, but process stifles creativity and drive a lot of the time. It’s a very special kind of environment to work in.

As someone who also works at a bank (though not a large national one) I get the same feeling, though I understand it to an extent. Not complying to bank standards means you get dinged if you get audited. Getting dinged means you will most likely get your budget cut by an amount next quarter. Or get the group "reorganized".