Financial institutions are under a lot of regulatory scrutiny. If there is a material data leak and they haven't taken due care in ensuring their data is secure, the directors can be jailed - that means there is a high level of due diligence to ensure that the cloud provider has the right level of controls in place and that they are audited regularly.
There is also regulation stating how long they must keep different types of records so if any key records are stored with a cloud provider, the provider needs to provide details of offline backups and how these records can be accessed many years from now. Once again, failure to keep these records can result in a directory being jailed.
Let's take AWS S3 as an example 99.999999999% durability.
They store your data in 3 geographically different locations (so they store 3 copies of your data in completely different data centers)
Not only that, they have invested heavily (and still do) on software the ensures this durability.
Many banks write data to a tape drive and call it a day.
Corruption of data on those drives would be invisible to them until they need to get the data.
You just simply cannot expect a bank with 10-50 people trying to backup data to compare to something like S3 with 1000+ employees working on one product that aims to store data reliably.
But if you wish to believe this, I guess that is your prerogative.
Putting all critical systems in the cloud is also concerning as if certain systems were hacked, they could result in massive losses (billions, if not 10s or hundreds of billions).
Financial institutions already have massive security problems. (Both VISA and Mastercard have had massive hacks)
I can gaurantee you local banks have also, they just try keep it quiet but when you dig you'll find articles where people have lost money which was reversed by the bank.
They hire a small team of people and expect that team to keep the underlying hardware up to date, the software patched and up to date, etc.
All the while trying to keep the budget small.
Again, compared to cloud where you have an entire business unit dedicated simply to something like a network layer.
The cloud company is throwing engineers and money at the problem.
A Bank engineer needs to worry about OpenSSL versions, dealing with credentials, setting up load balancers and keeping them secure.
With a single click I do the same on AWS.
The load balancer and instances gets its credentials securely, managed by a policy document.
Just the effort of that part alone is years spent on development and maintenance.
The economies of scale are simply against you if you go this alone.
There are some valid uses for cloud in financial services - your example of client side encrypting with AES256 is a perfectly good one. If you need to deliver files, as long as they are client side encrypted with a sufficiently strong encryption is a perfectly good use case - you could even publish the files on your web site.
But moving all core applications (most of which were not built for cloud) - you can't encrypt all data on client side.
If you move data without using either SSL or encrypted data. Your application is insecure.
There is simply no way around it.
This is the number one reason so many of these large corporations get hacked.
It is such a easy mistake to think your inner network is safe.
You store data encrypted at rest and you communicate with SSL.
Those are the simplest principles of security.
It blows my mind to think that in 2016 people still believe in things like "secure" networks where non-SSL, unencrypted data, plain text this and that, etc. are ok.
With banks, they have sufficient economies of scale to run their own internal infrastructure at a far lower cost and much better uptime than what the cloud providers can do.
I really don't see how they can have better uptime.
Economies of scale, for a bank, again doubtful but at best it will be really close