As someone that has been the lead for many large banking systems, I can say your intuition on this one is off. Banks enforce these rules because some internal security group set the rule a while back and thats what they use. Many smaller banks use whatever password scheme the banking software service provider has as its default. Its just bureaucratic deluge. Its certainly reasonable to pontificate that this deluge results in safety per your rational. But I have never seen a study that shows this to be so. It may well be that many set their banking password as the first account they ever used on the Internet and then reuse this same password for subsequent systems.