You're vastly overrating the size of the vulnerability and the security of banks. This would not have been caught by internal security teams at most banks and even if it was caught, it wouldn't be considered a major vulnerability on a major banking website.
With that said, this is a bigger vulnerability precisely because Facebook is a free service - at banks, you need to be a customer with real-world identity to even begin to attempt to exploit this.