.. I'd just like to point out, that if the server is compromised and the attacker can download the full database of passwords... then they have 11k accounts and passwords, some of which will no doubt be used on other sites aswell.

If the passwords are stored encrypted, then the attacked cannot download all 11k passwords at once and must put in some code to get the password - pre encryption - per login.

Thus, if time between attack and attack detection is 24 hours, the attacker will only have gathered the passwords of users who have logged in the last 24 hours - not all 11k.

Thus, quite obviously, storing passwords encrypted IS infact added security. Not doing this IS a flaw.