I once submitted a bug report to my bank, through 3rd party that they had hired to administer their bug bounty program. The 3rd perty determined that it was a pretty high severity issue, because the setting to require a password could be disabled without entering a password. The bank closed it as works as intended, because they had only meant for the password to be optional, out of convenience.
I gues this is in line with their normal practices, as they were unable to issue me a debit card that only works with a PIN, and can only issue cards where the PIN is optional.