As many mentioned 2 factor security, the other part of this is how long a password can stand up to attacks.
A four days digit password can be cracked in a flash with multiple attacks. Those attacks made online can use methods to mask where the attack I’d coming from. And often just keep trying forever.
Your pin tied to its card has 3 tries and you are locked out.
Also money isn’t as big of a loss as information. Most banks cap how much can be taken per day. Where if sensitive information is stolen damages have the potential to be far higher than a few thousand dollars. Especially when you consider the ability of the provider to pay damages. Banks are well financed not all apps are.