Social, Not Software Engineering
Although this man-in-the-middle attack succeeded in obtaining some funds, it wasn't all that successful. Only a very small number of customers were stupid enough to click on the e-mail attachment (which claimed to be an "SSL 3 Update"), and most customers were unaffected.
This is not the first time that Dutch banking customers have been affected: The Postbank uses TAN lists, generated password lists, and thieves have been known to break into letterboxes in blocks of flats to steal these lists and use them to access the accounts.
The fact is that two-factor authentication is much safer than just the passwords used by most UK and US banks. Simple password authentication allows any old keylogger to record your details and give an attacker access to your bank, and keyloggers can be installed from anywhere. Two-factor authentication requires much more sophisticated attacks, and is much harder work for attackers to implement. It's not impossible, but it increases the skill levels needed. It can also only be done while the customer is accessing their bank account, unlike password attacks, which allow unfettered access once passwords have been revealed. In addition, this man-in-the-middle attack required active user intervention to install the trojan, relying on the stupidity^H^H^H^H^H^H^H^H^H naivety of users to install the software on their computers.
Two-factor authentication is not perfect, it's just several thousand times better than what UK bank customers are being provided.