When you use a credit card online or in the store, the merchant can use various information like your address, phone number, the security code printed on the card, your signature, to confirm the card is valid. (The U.S. is finally rolling out EMV smart card chips.) This is actually optional - the merchant doesn't have to do it. But if the cardholder issues a chargeback, the merchant's chances of successfully contesting the chargeback are much better if they've used these options. If you've ever wondered why the gas pump asks for your zip code when you use a credit card, this is why. It's not trying to collect marketing data, it's doing a rudimentary identity check to elevate the chances that you are the card's actual owner.
Anyhow, allowing transactions using only the card numbers themselves is horribly flawed because anyone can just take a photo of a card to get its numbers. So the credit card companies have come up with these other methods to "verify" the card's authenticity. (I put it in quotes because it doesn't actually verify the card's authenticity, just reduces the chances the card is not authentic.) Apparently Apple refused to forward much if any of this information to the banks when a fresh card is first being loaded into Apple Pay, making it easy to load a stolen credit card - easier than actually using the card for a purchase. And the banks were too cowed to make an issue of it, landing them in the mess they're in.
On the one hand it's the bank's fault for not speaking up and pressing a vital security issue. On the other hand it's Apple's fault for being an 800 pound gorilla which uses its market clout to force concessions from its partners. Stuff like this is why you always want at least two strong competitors in a given market - so if one makes unreasonable demands of a business partner, the partner is not afraid to tell them to go jump in a lake. It's the same reason we allow unions - because the hiring employer has a lot more clout than the individual employees.