- When the system is operating normally it asks for a different pair of characters each time. The fact that it is not doing this is a symptom of it being overloaded IMO.
No it's not, it is a symptom of it being badly implemented. Every time you connect to the server, to login, it has to issue you with a prompt for your details - this obviously takes processing power so if you get a prompt then the server had the grunt to get this far in the process. It also has to select two characters to prompt you for, and it has to record which character positions those are to match against your full password later - this is the step at which it should nominate which two random characters which you are expected to supply, and the fact that it doesn't select random characters every times means that the selection process is not really random at all, which equates to weaker security because the system is badly designed and/or implemented and not because the server(s) doesn't have the resources to function.
- The bank cannot be expected to design computer systems that have the capacity to handle a run on the bank - it just wouldn't make any sense, and there are sound business reasons why you wouldn't want your computer systems to be able to smoothly handle a run!
Of course a bank can be expect to design systems that handle the numbers of customers it has. Anything less than that amounts to poor and shoddy service. NR have a system which is badly implemented either because the people they contracted to build it don't know what they are doing, or because NR are not willing to put up enough money to pay for a real and proper system (i.e. well designed and with adequate hardware and software to allow it to function well).
As an example of a system that works well, 24 hours a day, for many millions of people, look at Google. When was the last time that you got a timed out connection when you used Google's search facility. And that involves hefty database lookups which require significant horsepower (and/or an extremely well designed system). The Google system is so good, because if it weren't no-one would use it and Google would cease to exist. The NR system being bad, relatively speaking, reflects badly on NR.