Basically in short, Citibank forces their client to use a vulnerable JRE because only that version is compatible with their application. No wonder Citibank is always on the frontpage getting hacked for at least a few times per year. Why doesn't Citibank upgrade their application? Lazy programmers? No budget? To pentest it (again) is too expensive?
Well, its all up to guesses, but seriously, to protect yourself, it is extremely important to uninstall all older version of JRE (btw, in case you did not know, upgrading doesn't really remove the older version in some cases - flagged as vulnerability in 07) so that application such as the above will not work (without telling you).
Also, as a side note, there is also a simply utility called JavaRa to remove older version of JRE: