Sharing such rarely changing authentication data is at the heart of the issue as you point out. It seems like a trade-off of convenience and security with some background fraud cost. However, the issue is always convenience for who and fraud for who? In this case, banks have succeeded in mostly privatizing gains from transactions costs from credit card transaction fees while socializing the cost of identity theft to the general public (who have to change their accounts, deal with years of worries, try to straighten out fraudulent charges at riskof not being able to get a job or buy a house, etc.). This is an example of capitalism at its finest from one point of view -- privatizing gains while socializing costs and risks. That is when we need government (as the will of the People) to step in and force banks to internalize the cost of identity theft rather than pass it on indirectly. Ultimately, that might have to be done by big fines for breaches or taxes on unsecured transactions. And if banks had to do that, they would probably rapidly deploy something better because it would be cheaper than raising costs to customers and losing business to other banks that did implement better systems.
Perhaps the only worse thing is when businesses in the USA are allowed to use essentially unchangeable info about a person like date of birth or social security number to authenticate them. Other countries seem to handle this better by having an additional private PIN as part of a SSN. Some also include using the post office as part of the authentication process (like to present your ID at the post-office to approve some transaction or initiate some communications link). I'm surprised the US post office (which handles US passports now) does not get involved with authentication in general, as it seems like a surefire money-maker in the digital age, and the US post office already has procedures in place from passports to verify identity.