Not sure where gp lives. But most banks here restrict you to 4 digits as the password. So basically a PIN. If you are lucky, you get 6 digits or even letters. But be careful: if you use “fancy letters” (symbols, umlauts, …) you risk locking your account: you will be able to set this password, but the actual login form won’t allow you to enter it. Banks here are highly regulated, so don’t hope for competent competition.
They mitigate the obvious security thread with mandatory 2fa (actually mandated by regulation). Some use this as an opportunity to push their apps: no separate 2fa method, but only integrated in their bloated app, that checks for rooted devices and only supports the newest OS.
It’s quite hard to find out in advance, what 2fa methods with which fees each bank actually requires. I remember that some of them had funny ideas, what a customer should be billed for 2fa SMS. I think it was 50 cents per SMS.
Actually you have a point. A collection of shell scripts (like the classical init systems) have obviously a smaller attack surface. In this case the attacker used some integration code with systemd to attack the ssh daemon. So sshd without systemd integration is safe against this specific attack.
In general, I’m not convinced that systemd makes things less secure. I have the suspicion that the attacker would just have used a different vector, if there was no systemd integration. After all it looks like the attacker was also trying to integrate exploits in owner libraries, like zstd.
Still I would appreciate it, if systemd developers would find a better protection against supply chain attacks.