Is my bank being utterly stupid about security?

I signed into my bank’s website and they demanded I change my username because it was found on the web–duh, it’s my name and I’ve been online since the old BBS days. Huh? Since when are account names something to be protected?

The rules presented for usernames included that it couldn’t be part of my e-mail. However, after rejecting their system suggested _. Is the latter really any more secure?

Is there reason behind this or is it just cargo cult behavior?