ECG still suffers from the same problem as all biometrics
The machines/detectors don't actually read your ECG/iris scan/fingerprints/etc. They digitize those attributes of yours and then feed them into a computer that decides you should have access to a building/bank account/computer/etc. So it is no longer your analog biometric attribute, but a bunch of 1s and 0s in a file, like a word-processed document or a photo of you at the beach.
All the bad guys have to do is get hold of your ECG or other biometrics files, and figure out a way to insert them into that computer that grants or denies access, and they get whatever access rights you have. Meanwhile, you are screwed for life because you can change a compromised password, but good luck changing your formerly unique biometrics once they are out in the wild.
Biting the hand that feeds IT
