It also prevents copy/pasting out of that field by most browsers.
If someone gets access to your computer because you walked away for a second, goes to your bank page and it autofills, they can access the site, but they can't know your password (which is generally shared between many sites), and so they can only do damage there locally for a (hopefully) brief period of time.
Sure, copy-paste, but if you monitor the outgoing query via Firebug, you can get the raw password. (This is confirmed with the gmail password input.) I have also in the past used various Windows tools for finding the value of a text box or for toggling the hiddenness of the text. Basically, if someone has access to the machine where your password is stored in any form, all bets are off.
If it just displayed in a textbox, game over...