IBM z/OS mainframes process ~87% of global credit card transactions. The password hashing system protecting those systems โ€” RACF Legacy DES โ€” has 42.17 bits of effective entropy instead of 56. That's crackable in 7.6 minutes on a consumer GPU. Cost: $0.08. I validated this bit-for-bit on a real IBM z15 running z/OS V2.5. 4/4 perfect match between my model and the production implementation. All findings obtained with a standard student account. No exploits. No privilege escalation. Just a statistical framework (CASI โ€” IEEE peer-reviewed, ICECET 2026) and reading what the system showed me. The fix for every finding already exists in z/OS. KDFAES has been available since 2007. AT-TLS, MQ SSL, ICSF authorization โ€” all single configuration changes. The gap is not capability. It is configuration. Full technical report (15 pages, 50 findings): https://doi.org/10.5281/zenodo.18755826 Responsible disclosure to IBM PSIRT initiated.