Elaborate please. PI on its own is just an insurance API for banking and similar apps to ensure that they can do secure compute on the device. It can also be used to check if the device that the app is running on is a genuine Android device, since no VMs or custom ROMs can pass hardware integrity.
Very old, unpatched and rooted devices can fairly easily pass device integrity check.
It primarily assures the software vendor that the phone is running Google buttplug in the privileged mode.
Remember, handsets running on ANCIENT versions of Android with no patches for years. Whilst seems to be important to raise under the Forbes article (rightly) fussing about a couple of zero-days.
"Custom roms" (whatever that means) can easily spoof the checks in the specific situation (mainly hardware that allows for several things).
What sense is does it make to certify an insecure device that may be subject to all kinds of remote exploits and elevated code execution as 'unmodified'. The argument of the banks is: the device is insecure (even with the latest patches). We all know the whole compliance is a bit more complex, so it might make sense on that level...
