2 Factor Authentication using the same device is broken by design. That's why. If you read the contract with your bank carefully I'm sure you find a paragraph where there's stated that they are not liable for any losses if you use the banking app and TAN on the same device. And your example of a bank getting hacked is a totally different story. Simple as that.