I think you’re being too pessimistic about IT security, particularly in the Financial sector. A lot of the security rules and audits aren’t even government-run, it’s the sector regulating itself. And trust me, they are pretty thorough and quite nitpicky about stuff.

The cost of failing an audit also often isn’t even a fine, it’s direct exclusion from a payment scheme. Basically, do it right or don’t do it at all. Given that that is a strict requirement for staying in business, most of these companies will have sufficiently invested in IT security.

Of course it’s not airtight, no system really is. But particularly in the financial sector most companies really do have their IT security in order.