Because they are hellaciously expensive, in terms of:
* cost to retrofit the backend of these systems onto the bank's retail software
* cost to roll out tokens to customers
* ongoing support costs for e.g. lost or broken tokens
To all that, you have to layer on the fact that tokens are priced for a different market (enterprise security), so the existing products aren't packaged in a way that makes them palatable to (say) Bank of America's many tens of millions of customers. You can't wave a magic wand on that problem either; tokens are packaged the way they are now because that's how you can keep a token company in the black.
You know, I have a checking account that I don't keep a lot of money in (because I rarely write checks nowadays) but have had so long that I don't really want to close it. I was surprised to notice last week that the bank is charging me $12/month in account fees unless I keep a minimum of $1000 in it at all times (effectively, an interest-free loan to the bank). For $144 a year, I think they can afford an RSA token or something better than the existing nonsense.
I know, the bank makes money from fees and that's the price I pay for access to a large ATM network..yet I distinctly remember a time when they made money from lending, while still managing to have a risk management policy grumble grumble
Banks are moving to multifactor auth systems. Expense is slowing the process down. Buy me a beer next time I'm in San Francisco and I'll give you anecdotal details I can't give here.
I think one obvious (but HN-unfriendly) point to be made here is that the overwhelming vast majority of bank customers could give a shit about online authentication systems.
Switch to a credit union, then. If your profile info is accurate, you live in a region served by the SF Fire Credit Union (http://www.sffirecu.org/). I switched to them a few years ago and it's been a great experience. Save yourself that $144 a year.
They have the largest ATM network on the planet; every ATM is free-of-charge. (That is, they'll refund the fees, if the ATM charges any.)
Make it an optional smartphone app, like Google's two-factor auth. Maybe let people buy a token like Mt.Gox does (they are hardly huge, and they could afford it...name.com and World of Warcraft too.)
You know what was expensive? The bank bailout. I want my $8,333 that I'm paying to keep banks open back.
* cost to retrofit the backend of these systems onto the bank's retail software
* cost to roll out tokens to customers
* ongoing support costs for e.g. lost or broken tokens
To all that, you have to layer on the fact that tokens are priced for a different market (enterprise security), so the existing products aren't packaged in a way that makes them palatable to (say) Bank of America's many tens of millions of customers. You can't wave a magic wand on that problem either; tokens are packaged the way they are now because that's how you can keep a token company in the black.