> Not everyone cares about security updates.

OK.

But surely banks ought to. If you care about having a banking app, then you ought to care transitively.

Do they really? All they care is about some particular version of Android (like any other app). I don't think I ever saw any banking app which would check for presence of some particular security updates (not even sure if it's possible).

Right, like the good old "we care so much about security that we blocked rooted devices, but we make no effort whatsoever to check the security patch date":)

None of my banking apps will work on a rooted phone, so I need to keep a 'clean' android phone around if I care to use their app. (I don't.)

Banks don't care about security. See e.g. credit cards where the numbers are just printed in plain sight for everyone to copy them.

It's supposed to never leave your pocket or your hand. Besides, if someone gets your credit card number and purchases something, you can charge it back. The vendor is supporting the risk, not you.

> It's supposed to never leave your pocket or your hand.

If you buy something in a store, you have no certainty that your CC number doesn't end in the hands of store personnel.

> Besides, if someone gets your credit card number and purchases something, you can charge it back.

You have to keep an eye on it. It is easy to overlook if the amount small is enough.

All in all, I wouldn't call this good security practice.

Banks don't even do 2FA properly. They don't care.

Not everyone cares about using condoms for one night stands. Would you apply the same approach to Windows workstations?

I, personally, do care. But I saw lots of computers with old Windows, like XP, 2003 and so on. On my current work we have dozens of customers with Windows Vista which causes lots of headache and significantly limiting us with development tools. Well, it works for them, so who am I to judge. All I can see is that not everyone cares about security updates, including Windows workstations which handle quite important data.