What sense is does it make to certify an insecure device that may be subject to all kinds of remote exploits and elevated code execution as 'unmodified'. The argument of the banks is: the device is insecure (even with the latest patches). We all know the whole compliance is a bit more complex, so it might make sense on that level...