It still wouldn't work in most cases today... that's why banks have the authorization questions and pins in place, because they figured this out already. If you try to login from a computer that the user hasn't already used, you'll get one of a series of questions before you get in... questions that are based on the user, not the password. Then, if your bank is extremely paranoid like mine is, you'll have to enter a pin before you do anything after that.
They have a point, but it's not as big of a deal as it used to be.
Sites like Paypal aren't as paranoid as your bank, but access to a site like that could be just as devastating for some people, considering Paypal accounts are usually tied to checking and/or credit card accounts, and may also contain a cash balance, sometimes a large one if you run a business that accepts payments through Paypal.
How about hijacking your domain name?
How about gaining access to your account at the site you have your car insurance, changing the address, phone number etc, and then canceling your insurance and asking for a refund on unused premiums?
There is a whole lot more than just access to your bank's website to worry about, and a lot of those sites are not as paranoid about security.