Re: password specifications..
"the servers handling authentication are much less likely to have been compromised with malware"
OTOH if your device is compromised you lose control over your own passwords and, frankly, the bank isn't going to care about that. If the authentication server is compromised they lose control over everyone's passwords and. of course, the bank ... Yes, you can see why they're choosing such an insecure option.
Seriously, there are two aspects to risk. One is the probability that something will go wrong, the other is the scale of going wrong.