I'm actually OK with the former companies (that are doing their best) getting reasonable extensions and then being held accountable to make the agreed-upon progress. Getting PCI DSS compliant is a reasonably long and fairly hard struggle for a corporation that hasn't done much relative to security.
The other type of company should be drawn and quartered (and fined) and made to understand how important it is to safeguard customer data. But that is likely a losing battle.
In terms of why the banks would offer these extensions, it's a basic risk management decision. They assess the track record of the retailer and try to figure out how exposed they are to fraud. Then they decide if it's a good idea to issue the extension versus saying no and risking that the retailer will take its business elsewhere. Remember, merchant banking is a competitive business, and some banks will relax general risk standards if they think it's a good business decision.
This was first published in January 2008