Before choosing an onling bank, I portscanned the networks of the banks I was considering. It was the only way I could find to get a rough assessment of their network security, which was important to me as a customer for obvious reasons.
[snip]
I'm not arguing it's good practice. I'm giving it as an example of a reason why somebody might scan your network, even though they were not planning on attacking.
Even then, its not really effective. Most compromises I have read about to major banking providers is from someone at a business partner or something inside the business indirectly related to the web service being compromised and then the internal network and any inherit trust relationships being compromised. Very rarely is it something super-obvious like an open service with a default password (but I'm sure there are notable exceptions). So a portscan of their forward netblocks isn't really a 'test' of their network security, imo. - James