Levels of security vs levels of threat
While I can see that there's a clear problem with the user name/password model for account access, how many companies have the resources available to match the banks with behavioural authentication methods of fraud detection? Very few, I would think. I can't fault it as a system ideal, but it's as impractical for most companies to put in place as it would be individuals to remember 256 character, multi-faceted passwords.
As a manager of accounts on a business system, the biggest problem I have account wise is not, directly anyway, a problem with the user name / password model. It's that people don't use it properly. In these modern times, if people are idiot enough to use 'password' as their password for all of their account related access then they've only got themselves to blame when accounts get hacked. I'm gob smacked at the number of our employees that do however. Or did, I should say. Having seen this behavioural trait, I've put measures in place to make sure that's not possible any more on our systems, but the fact that people would if I let them is indicative of the wider issue.
As a collection of supposedly smart people, the majority still don't see password driven account access as being under any sort of threat. We don't need sophisticated, expensive systems to help that situation. People simply need a better understanding of the consequences of using poor passwords, and using the same password on multiple sites. It won't resolve the problem, but it would help enormously.
