I see this argument everywhere and I've never heard of a case where a bank was liable because a customer was phished. I've even asked for examples and nobody ever provided them.

It's one thing to argue in court that they should be liable because they didn't provide you with the necessary security tools (like MFA), but they all provide at least SMS 2FA these days and their apps run on iOS and Android, both of which have plenty of security features.

If a bank is required to reverse fraudulent charges (and they are), that means they're liable for those charges.

In reality what happened is that some security auditor put it into a checklist for the mobile app "Security ISO certificate++" and now everyone implements it for compliance.

Fighting against that is insane paperwork and professional exposure for software engineers that do it (since if people get phished, the C-suite will point a finger at a tech lead which went against the "professional security audit").

Most of other posts here are just post-rationalization and victim blaming.