I understand all too well that if people are allowed to choose ANY password at all, they will usually choose a weak one. The onus of security is not typically placed on the user, it is up to the institution to FORCE the user to choose a minimum acceptable level of security. This is why every major OS has systems built in to enforce password length, complexity and expiration requirements. Users cannot always be counted on to choose methods and systems which are in their best interests.

It's yet another extension of that classic rule of programming: "Always assume your user is an idiot (even if your only user is yourself)"