Humanity is just inherently lazy.
The question shouldn't be "how complex are they making their passwords?" But rather, "What steps are we taking to ensure the passwords are created to be complex?"
1. Default character limit
2. Add numbers, symbols, and uppercase
3. Rotated at minimum every 3 months
What can we do to improve upon that?
2FA is a good start, personally if I were smart enough I'd create a password creation system that doesnt allow proper words from a dictionary at all.