Stealing credentials through third party code is a relatively expensive attack. It has to be engineered for a specific site and then it needs to pass the auditing of the vector (i.e. the ad network, or the developers).
Once the attacker has achieved that, what do they get? The credentials for most sites are worthless. Of course some users might use the same password on multiple sites, but they had it coming.
Those sites that do have valuable credentials also have heightened security measures. If your bank is serving you ads on the login screen, perhaps you should use another bank.