There's stories going round even now, at the "dawn" of the Apple payment thingy, that it's hopelessly compromised: http://www.popsci.com/apple-pa... but apparently it's not the app itself that's broken, it's hte way it's implemented. Banks are all too eager to approve the addition of cards to random phone numbers, which opens the door to fraudsters getting hold of card numbers, and through a bit of ferreting around on Facebook and maybe throwing out a few seemingly innocent pop quizzes ("What's your cat's name?" and "take the first letter of your oldest child's name" are two recent examples which are also used in bank security questions) to hook their victims, they can then empty accounts with gusto.
This is why I hit the "Fuck off - it's not secure" button. This is why I don't have a bank account and this is why I don't have a Facebook account.