Normally these websites ask for a username/email at login first, then show your security picture prior to asking your password. The picture is chosen by you, the user, from a pool of images during registration. So it basically stops you from giving your password to a malicious clone of a legitimate website because the actual user chosen picture likely won't match the malicious site's image (assuming they try to show you one).
If they do show you one, it is indeed up to you to notice. But that's why they also combine this feature with the security question, which could also be the wrong question or completely missing (which you would also need to notice).
To answer the question of forwarding the photos, accurately forwarding the image/question of a financial site would be nearly impossible. There are two ways to do it that I can think of:
They would need a sizable list of active users and a list of the questions/pictures that correspond to each user, then hope no one changes their security photo or questions at any point. This is something that would basically require access to the financial website's database or a data dump of that database.
The only obvious alternative to that would be finding a vulnerability in the web application that allows them to enumerate users, which most financial websites are going to protect against. They would then need to use some automated technique to create a fairly large list of known users. From there they would have to build a kind of mirror database that links these known users to the security questions and photos.
These are pretty impractical. The most effective way (in my opinion) to thwart security pictures and phrases is either to hope users forget they will be asked, or to get access to their machine and perform key logging or screen grabbing because then there is no reason to set up a phishing website.
