Don't Just Blame Users
One of my banks doesn't allow uppercase or special characters. The other, after a major software upgrade that took much of their systems of line for several days, only allows numbers in passwords.
On the other hand, there are sites like infrequently visited tech forums that represent no real security risk to me. A short and weak password is fine.
The point being, the strength of a password should reflect risk levels. Sometimes 12345 is good enough.