Sorry but "rooted" does not mean you automatically give root access to every app. You can still decide which app can have root access, which not. In the above case, he only installs banking and finance apps (without root access) and no more, not even use the device to browse the Internet. I fail to see how dangerous it is simply because the device is rooted.
In this scenario we are talking about an OS version of 4.4, which back then, yes a properly coded malware app can give itself root privelage using certain methods that I will not discuss here. The fix for one of those methods was introduced in Android at around the time of Nougat.
I'm not talking about which should be responsible. Rooted can be safe if the user knows clearly what he is doing. It is more dangerous if the user is reckless and does not have any sense of security. An unrooted device does not help to save his butts. The user is usually the weakest link in security.
Yes we know that. But the bank and Google does not know if the user is tech savvy or not. Hence, it's common practice to just cover for every idiot out there, which of course makes it more difficult for more tech savvy people.
If this is the case, the bank should redesign its app. SafetyNet can be fooled, so do other root detection methods. A cyberthief would find a way to run the bank app in a rooted device anyway.
What's more some bank/finance apps simply let them run, or only disable some features but not disallow running. It is beyond me they still let them run if it were so dangerous to allow an app to run in a rooted device.
How much more can you redesign a portal that just accesses your database? Whatever you do, it's still going to access a database and a thief can piggyback on that if access was achieved. Without that access, that bank app is useless anyway. Even if root detection methods can be fooled, it also does not mean that it's the only security feature of the app. Plus, you don't have to make it easier for the cyberthief. If it was as easy as that, then everybody with a little time spent Googling can crack their banks. Which obviously in this case, did not work.
Also, you also have to consider the server side protection. If the bank employs a server side protection that they are confident enough to let their app run on a rooted device albeit in a limited manner, then they will code their app to do so. But if a bank is paranoid and/or has not yet upgraded their server side protections, then obviously they're going to slap on every lock they can find.
The main issue here is people seem to think about these things as "just THEIR phone". It's not. It's connected to several things, and each of these things are connected to other things which may or may not have their own security protocols which you have to respect. Security on the apps goes beyond that device you hold in your hand.
