This is like the first thing you learn in web app security (defender or attacker) and you don't even need to write script a tool such as http://code.google.com/p/fm-fsf/ will scrape the data quickly.
Even though it's insanely easy to spot and exploit it's also easy to miss it while coding. But any decent pen-tester will find it. Regardless, unacceptable for a finance company.
No, I don't think easy to miss because it shouldn't be possible in the first place. At least for a banking software, the web application layer is not the right place to check for this kind of authentication. This makes me wonder how their code must look like...
Even though it's insanely easy to spot and exploit it's also easy to miss it while coding. But any decent pen-tester will find it. Regardless, unacceptable for a finance company.