The site for my credit card requires a password that is no more than 6 characters -- talk about insecure.

Not necessarily. Oftentimes banks will set a hard limit on the number of unsuccessful attempts you can make before they lock you out entirely. Then you have to phone them and jump through a number of hoops to prove you are who you say you are, and then reset the password. If they do a really good job preventing brute-forcing, then having an un-brute-forceable password is not necessary any more.

The easiest example of this is debit card PINs. They are usually only 4 numeric digits, and yet are trusted by banks for direct access to accounts. This is because a) banks have sophisticated systems to track brute-forcing and other kinds of abuse, b) longer pins are more prone to being written down, forgotten, and mistyped, and c) there are limits on how much you can purchase / take out per day, limiting the potential damage.

PIN requires you to possess a card with the account details and relevant security data. Yes they're clonable but you can't do a distributed attack on thousands of accounts that way.

Online, as many banks have leaked customer data, one can use a botnet to try common passwords against thousands of customer accounts (you may need to get account data elsewhere to do this or customer numbers may be guessable). 6 chars severely limits the passwords to try.