It may not be the most secure method, but it’s certainly the easiest way to deliver some keylogger protection without doing major changes in the backend code. The methods you mentioned are not “standard” as a virtual keyboard (which many people have already seen in banks), how much of code refactor will it really need to be safety implemented? What if someone comes with a better method, will it be easy to update it? What about attack surface?
A virtual keyboard would be only a matter of frontend design and some basic JavaScript, the use could be totally optional, just type with your normal keyboard if you want. And yes, they could use screenshot-based sniffing, but compare the models of hardware keylogger in this random shop I found, IMO a display based recorder is already another level of thread.