TLS (not SSL!) and DNSSEC should go hand in hand, where the first is today more about content verification and the other validates the origin. But bunq is failing there. I see no DNSSEC on bunq.me, no PKP header or TLSA record, even HSTS is missing. Also no CAA record, but that one is still barely used.
The DNSSEC part is odd since they are using TransIP’s nameservers where it is enabled by default. So they manually disabled the security layer?
https://ssldecoder.org/?host=bunq.me
https://dnssec-debugger.verisignlabs.com/bunq.me
I agree an EV is only an overpriced visual feature, the tech behind it is equal to a DV or even self signed. But it is better than only the lock icon which only indicates that there is ‘a’ secure connection, not who you are connected with. EV tackles that, especially combined with the other (missing) requirements.