Not so fast. You don't know if everything is coming down the pipe using SSL. They might be trying something fancy with AJAX, performing a remote call, the server spits back JSON on a regular connection, screws up the headers, and it gets cached. You really can't tell. It is a possibility.
I take it for granted that banks to stupid things. Just look at their password policies, for example. Many US banks basically prevent you from setting a strong password. Or my Austrian bank (http://www.easybank.at/) which includes Javascript code from typekit.com to use some Adobe fonts. Makes me feel much safer knowing that the security of my online banking interface does not only depend on my bank's site, but also on the security of Adobe's site.
