The threat model is extremely different for different types of websites. Banks often look at a variety of shit, ip country and often buy off the shelf systems hardened around faking tools.

I don't care what Most websites for security (to some degree) except my bank and my Gmail.