The immediate risks they are running, threat model:
https://webscan.upguard.com/#/https://www.tdameritrade.com/home.pageMiM attacks ->
Insecure SSL/TLS versions available
HSTS header does not contain includeSubDomains
HSTS header not prepared for preload list inclusion
Domain at risk of being hijacked:
Domain registry deletion protection not enabled
Domain registry transfer protection not enabled
Domain registry update protection not enabled
Lenient SPF filtering, so e-mails could be fraudulently sent
DNS is susceptible to man-in-the-middle attacks
DNSSEC not enabled. (info source credits go to Upguard's)
polonus