It's ultimately a tradeoff, and for an organization like a bank it's a really interesting one.
Every added security requirement limits the size of the customer base that's going to use the online system. For myself, a two-factor system with an app or SMS to provide the second factor would work fine, but for my parents it wouldn't. Every increase in security requirements has a tradeoff between customers that will use it and customers that will abandon online banking because it's become "too hard".
For the bank, when a customer abandons online banking, that means that there are longer lines at the branch, which means they need more people to provide the same level of service.
Note that I specifically said "security requirement". If two factor authentication was optional (not a requirement), then some accounts would be more secure than others. This would potentially make the less secure accounts more of a target since attackers may avoid the more secure accounts. There is also all of the development and testing and maintenance efforts required when you make different customers have different authentication methods.
The bank knows all of this and more. They balance their risk (reimbursed customers due to poor security) against the costs (people abandoning online banking, people switching to an easier-to-use competitor, implementation costs, etc).
Despite all major banks in Sweden strictly requiring 2-factor authentication, 82% of Swedes between the age of 16-74 use internet banking[0]. Are there really that many users who are scared away by it? Perhaps Canadians are less tech-savvy in general than Swedes?
Personally I'd be scared away from internet banking if my bank had a weak password scheme - and I remember that was the kind of comparisons made between banks by the consumer magazines when internet banking showed up in the late 90's - "which is more secure".
There is also a herd immunity as the bank is highly unlikely to post two lists on their website, one of low security users and another of high security users. So outside attackers have to break the first ring of security before knowing there exists a second ring.
Every added security requirement limits the size of the customer base that's going to use the online system. For myself, a two-factor system with an app or SMS to provide the second factor would work fine, but for my parents it wouldn't. Every increase in security requirements has a tradeoff between customers that will use it and customers that will abandon online banking because it's become "too hard".
For the bank, when a customer abandons online banking, that means that there are longer lines at the branch, which means they need more people to provide the same level of service.
Note that I specifically said "security requirement". If two factor authentication was optional (not a requirement), then some accounts would be more secure than others. This would potentially make the less secure accounts more of a target since attackers may avoid the more secure accounts. There is also all of the development and testing and maintenance efforts required when you make different customers have different authentication methods.
The bank knows all of this and more. They balance their risk (reimbursed customers due to poor security) against the costs (people abandoning online banking, people switching to an easier-to-use competitor, implementation costs, etc).