It's actually worse than that. It's fixed 4-digit or 6-digit. Most customers probably use the same 4-digit password for online/telephone banking as they use for their debit card's PIN. I don't care what legacy software the backend is built with; a 4-digit or 6-digit numerical password should frankly be an illegal way for a bank to do business.