A ton of these requirements are due to regulatory requirements for securing access to accounts at the state and/or federal level.
Requirements are then interpreted by each financial institution and implemented by different teams. It’s most likely due to the fact that a desktop is assumed to be more likely to be a shared device, while a phone/tablet is most likely to be a personal device, which is password/bio-metrics protected.
As for security around a browser: if you look at how phishing/hacking attacks happen on a desktop computer, if you can be tricked into launching an virus, it can copy all of your browser cookies and login sessions to the attacker, then they can duplicate your browser session. If you have an unlimited login for a financial institution, then they now have a logged in session for your bank.
So if you add up all that, then they’re more likely to allow long term login sessions on an application that they control than on a desktop/web browser that they don’t.