It is not my experience that financial services companies are substantially better than startups on cosmetic security issues like username enumeration.
Some financial services are even worse. One of the largest banks/brokerage sites truncates passwords at 8 characters without notifying the user. It is possible for the user to save their password as "password104n35dsu348a21p9sdj28x". They might feel pretty safe with the length, (pseudo) randomness, and complexity of that password, but someone would be able to log into their account by simply entering "password".
However, the big differentiating factor between startups and financial service companies is the faith in them "making it right" when something does go wrong. At this point, we have little reason to believe that one huge security issue won't simply kill a startup like Coinbase and leave all of its account holders out in the cold. It seems pretty safe to say that wouldn't happen with any major bank in the US.
Very true, but if my social sharing website has a username disclosure, it's generally a feature. If my bank does this, it is, as you note, a security issue. Not the worst possible security issue, but still definitely not a feature.
