Authentication to online banking services is typically done using something more complex than simple username/password. In most cases you are sent a user ID, and agree some secret in advance with your bank. You are then asked for your ID and a subset of the agreed secret information. Increasingly, banks require the generation of a one-time password on a card reader (in effect this is a password with a very short lifetime). If you use several banks then you will have several IDs, several secrets, and several card readers. This kind of technology works well for a single web site, but doesn't readily transfer to email clients, desktop login, network file access, and so on.
Google Mail, Facebook, ...
There are lots of web sites where you login with a non-expiring password, and may even then upload information that you intend to keep private. If your password is compromised then you stand to lose the security of any information held in your account, and an attacker may then go on to perform actions using your identity (if your email account is compromised then an attacker can typically use this to reset passwords on other sites that you use too). The key issue here is that the web site is typically only providing you with one service, so apart from the impact on their reputation and possible loss of a (non-paying) customer, they stand to lose very little. In contrast, Oxford University provides a wide range of services that would fall prey to a password compromise, and parts of the organisation place a lot of trust on the integrity of these services, so there is potential for large ramifications (think of the simple case of a student who cannot submit their essay because they cannot access their network file store).
Bank card + PIN
Chip-and-PIN is a classic example of two-factor authentication: you need to have the card and know the PIN, so there is no need for the PIN to expire.
Expiry was designed to thwart crackers, but passwords can be found and used within minutes now
One of the few recorded reasons for setting password expiry policies is that in the 1970's, government computers could attempt all possible combinations of a password within about 90 days. So password expiry was introduced and set to 90 days in order to thwart this. Gains in computer speeds have outstripped increases in password and algorithm complexity, but have also become largely irrelevant - many passwords are simply read off a user's PC after it has been compromised, and others are collected by phishing schemes. This is not an argument against password expiry; it is simply a recognition of the fact that password expiry is only part of the solution of keeping passwords secure.
Password expiry notifications look like phishing emails
Users who remember to change their password regularly won't get password expiry warnings. We do try to word them carefully, to avoid the flaws typical of fake emails.
Forcing users to change their password on expiry just means they write it down
Lots of users do write their password down and keep it where other people might readily discover it. Still more type their password into programs that store it on their computer - unknown to the user, but readily accessible to an attacker who gains access to their PC via malware, a vulnerability, or social engineering.
In fact, it is often the complexity requirements that lead to writing the password down - people write their password on a post-it before they are even aware that there is an expiry policy.