Bank's actions seem to make sense to me.
I mean, consider the following two policies that the bank might have:
1) Destroy all old gear. This rule is to be followed without question or exception. Individual thoughts and reasoning are overruled by the rule. Obey always, no matter how little sense it seems to make in the particular case.
2) Destroy old gear, but this rule may be broken if individuals think it doesn't make sense in the particular case.
Now, rule #2 is clearly a lot more vulnerable to errors and attacks...
In fact, on rule #2, all you would have to do to get something that does have sensitive data on it is convince someone with decision-making power that it doesn't. Rule #1 is immune to this, because even if you are completely successful in convincing the decision-maker that there is zero risk, he still won't give away the device. I know which rule I'd rather have my bank follow...(hint: it ain't #2).