[alarge]

I don't know that it's just the procurement strategies to blame. Many years ago, I was asked to bring a command and control system into (Orange Book) C2 compliance. Among the things I introduced were personal user accounts with some restrictions around allowable passwords. The users of the system (most of which were "former" fighter pilots) were furious with the restrictions, which they viewed as getting in the way of their jobs. They invariably created a shared login with the simplest password they could come up with that would meet the requirements (e.g., Abc123 or some such).

Security can't be imposed by the system on its users. They have to cooperate.

[rphlx]

A decent fraction of the population views password restrictions as a challenge to come up with the shittiest, least secure password that they possibly can while still meeting all restrictions. You can blame users for that with some justice, but as a system designer, it's still your responsibility provide security despite shitty but reasonably likely human behavior.

With modern crypto there are very few systems where it's appropriate to have a user-selected <=12 character password for primary auth, yet unfortunately that continues to be widespread for banks, ecommerce, and (probably) some military systems. High-end security people seem to almost universally hate short user-selected passwords (except when they have to break them..) but old practices die hard and old systems take a long time to be replaced.