Okay, I'm inclined to agree here, but what I don't see addressed is: If you set up an account with a username and password, then write it down on a slip of paper, and then drop that in a cafe, and someone else logs in as you and drains your account, is the bank liable for that too? Are all services with logons? But that looks identical to identity theft in a lot of ways.

If bank mandated security controls are breached, or they don't provide adequate controls, I feel like that that's on them. But if they've done their part and you've been irresponsible then that's on you. But where's the dividing line? And saying the banks have more responsibility can also justify more biometrics and surveillance.

Is the differentiating factor here that the bank (or whatever) is allowing access with insecure credentials (name, date of birth, phone number) instead of the primary credentials?

In the case they gain access to my account, I agree with how you presented it. If someone emptied my account with info about me they could find in data breaches, that shouldn’t be on me.

If they gave a loan or a credit card to someone pretending to be me. That’s now on my credit rating and historically very difficult to undo.