Disasters can hapoen slowly. This one did, in a series of decisions from multiple actors. The main inflection point was allowing third parties develop for phone platforms. Then banks erc. went through a process that ended up forcing the use of a smartphone exclusively for a lot of applications that are sensitive. The same device runs random code downloaded through various means (app stores, preinstalled bloatware installing even more crap on cheap phomes, websites, embedded webviews for ads...). This is now an entrenched status quo spread across multiple actors and unaligned interests.