Here is the problem rearing up with two nasty heads:
The first is that security has no ROI, and has a relatively trivial financial cost. A major breach happens, a company feeds a PR firm some cash, says they boosted security [1], they toss all affected a year's subscription to some monitoring service, and that is that. Come a lawsuit, there isn't much to sue because they can easily throw their hands up and say that the hackers would get through anything.
Which brings up the second point. In the 1990s, a rogue Internet site could be pulled from the net. Now, doing that is tantamount to an act of war, similar to blockading a port with a naval force. So, no matter what, there is no shutting down blackhats. IP blocks can be worthless since it just takes a compromised computer to bypass them. So, eventually the bad guys will find a way in.
Want an actual solution to the hacking problem? Banks need to create a separate network that uses dedicated physical links that is not connected to the Internet, and if it is, it is connected via application firewalls. Machines are keyed to only be able to connect with other boxes in a pre-arranged manner. If box "A" wants to connect to box "B", it needs to be registered beforehand, or the central switch fabric will deny it. Built into the fabric would be the ability for the central switching fabric to completely lock a box out at the L1 level, so a DoS is stopped.
Yes, this sounds Draconian, and puts power into a central place... but this isn't the Internet we are looking at, but a private network between banks, banks and credit card processors, and other entities. With this in mind, the actual machine NICs could be made with tamper-resistant chipsets, public keys, and authorization can be done via a PKI system.
Higher layers could be controlled by the individual institutions, so that even though L1/L2 traffic is handled by a central authority, application permissions can be controlled on a per machine basis with whitelists. That way, if the central authority is compromised, machines are still secured. Spoofing is protected, since public key fingerprints would be used as a part of a box's IP and stored on a HSM on the interface.
This is nowhere near 100%, but what it means is that there is not just an open network for someone to go after a site. To access a bank, it would require a compromise of an extremely hardened CA and a L1 ISP (both the keys authorizing machines to communicate and the actual WAN switching fabric, which could be kept completely separate from each other.) If a breach happens, it can be fixed fairly rapidly, and a site failing to address it would be disconnected from the WAN.
In general, not a 100% secure solution, but this gives three benefits. The network is separate, so for any mischief to occour, it require compromise of the core fabric. Then, individual hosts will have to be attacked, and with contract stipulations mandating a high level of security, this would be difficult. Finally, sites that are too lazy to keep current with security advisories would have their access pulled as part of being on this network.
This is pretty much done with NIPRNet and SIPRNet, so why not a similar WAN mechanism for businesses and finance.
[1]: The security "boost" could be another checkbox ticked off in a GPO object applied to the ass end of the company, so that passwords are needed to be changed every 60 days instead of every 90. Yep, a security boost.