The last bank backend I worked around was composed of several interacting systems, written 30 or 40 years ago in COBOL, which ran batch jobs overnight and communicated with each other by writing files to disk. We were strongly encouraged to get the format of the file exactly right, or the batch job in question wouldn't run and nobody would be able to sort it out until morning. Passwords weren't involved but, if they had been, I am quite sure they would have been stored verbatim.
So, two problems: multiple interacting systems, which means you can't just fix one, you have to fix all of them; and lots of legacy code. Versus: there would certainly be quite a lot of pain to implement a new system, and the old one appears to be working.
So it's a problem where the system must be kept up running no matter what and refactoring everything might cost more than having some security threats? Or is it just plain greed and "while it's working now, why fix it?" kind of thing.
So, two problems: multiple interacting systems, which means you can't just fix one, you have to fix all of them; and lots of legacy code. Versus: there would certainly be quite a lot of pain to implement a new system, and the old one appears to be working.