Shared responsibility
I am in no way defending banks here but online banking security has to be a shared responsibility.
I agree that all banks should use 2FA for access to online services, geo-location restrictions could be implemented but this needs to be a discussion between the user and the bank especially if the user travels a lot. Restricting which devices can access an account is another measure that is not difficult to implement.
However I also know that Joe Public on the whole does not like using 2FA. Joe Public has to wake up and realise that using the same password for all their Internet accounts is a bad idea and that 2FA is there to protect their data (and money).