No major Australian bank even offers an option of 2FA for web, why?

Maybe because they have 2FA on other stuff? E.g. ANZ have it on adding BPay and Pay Anyone recipients, changing contact details, and some (apparently randomly selected) fund transfers. Not saying it's secure, just that it may explain their thinking.

Here in Denmark, banks typically use NemID; a government issued 2FA system. The basic version uses an OTP sheet of ~140 passwords. People can opt in to use phone-based validation (push notifications to an app and confirmation with a slider). As far as I know (I don’t speak much Danish so I can’t look it up), this is a requirement to offer banking services in Denmark.

I used to work in infosec for governments and banks. Typically, the only way to have these kind of things implemented is by having regulation that enforces it. Banks don’t want to have to foot the bill for 2FA, and they can (as another poster pointed out) claim the user was careless with their password to not have to cover phishing attacks. Most of the time, banks will claim that their user base is in remote locations and SMS-based 2FA is unreliable (believable in Oz), or that they don’t want to “inconvenience their customers”.

The other issue is with choosing a tech. What if the bank picks wrong? What if it has an enormous cost?

A bank in the UK decided to use smartcard/credit card based OTP, and it resulted in the torture and death of one or two foreign students. It’s quite simply safer to wait until you’re regulated to use a specific tech, just so that you can’t be blamed if it backfires.

Unclear about this, I have commbank and Citibank accounts and both require 2FA to login to web banking.

What exactly are you referring to when you say “website”?

CommBanks 2FA can be disabled tho.

I think it's just the banks 'she'll be right' attitude.

ING still uses a client code, which is written on your card plus a 4+ digit pin code on both Web and app to login.

It will take one decent breech for them to wake up..

I remember when I was working in Australia in 2008-2009. When I wanted to deposit cash to my bank account I had to put that cash into an envelope and write my name on the envelope and then push the envelope inside a hole in the wall at the bank. Then they would count the money and it would appear on my account in couple of days. I remember it was really funny because we had had ATM deposit machines for long time back home.

BOQ forces me to use a specific non-standard (Symantec) app on my phone as 2FA, which I also find stupid, especially since I can just call them on the phone and they'll reset it for me. What's even the point?

It's because of "Not Invented Here" policies. I have seen some banks use 2FA for internal logins - Westpac uses RSA SecurID tokens.

As an aside, I once had the misfortune of being with CommBank, and their password policy for the app was case insensitive

If they implemented 2FA, there would be a huge drop in frauds. Since the banks rely on denying blame by blaming customer carelessness and making the client bear this loss, often with high credit interest rates or loan fees, they would lose a lot of $$ by closing off this profitable aspect of their business. Doubt me? They are banks - never forget that.