There're some banks that still need them. The irony is that, since their applet is signed, the user must click and confirm that he trusts the thing every time. Hackers can leverage that users won't read a damn thing, they will just click next to build an applet with file system access. Why exploit flaws when users will simply click a trust your applet?

I don't trust my bank with a signed applet (why the hell do they need that?), so obviously I only access my internet banking using a VM.