A web page is more secure than an app, on theory. That’s because you can’t see the source code, tokens or whatever they use to build it. It’s called a ‘backend’. However, an app is insecure by default so there is a lot of tricks that must be done to secure it (for example Oauth 2.0 flow with pkce). And the software they use to gather the data to show (APIs) must be built better.
So… why then? It’s all about having the means to deliver the experience that the bank wants. Look at voyager app for Lemmy, for example. Why people want a iOS version when the PWA exists? Because it simply works better as a native app.