It's hard to defend the argument for not customizing the logon page. If the site and digital certificate for the site are under the bank's domain name then isn't that a bit of a give-away already.
In our case we don't customize our page, it's setup for SSL/TLS, we have a robots.txt file at the root to keep the "nice" search engines from indexing the page, the server is in a DMZ with IPS protecting the interface, logging is turned on and reviewed, etc. All the public server hardening techniques should be applied.
One thing I would worry about with customization is the possibility that a vulnerability is actually introduced into the webmail application. That could easily happen if the code is tweaked for any reason, i.e. debugging, work-arounds, etc.