[x1798DE]

I agree that the 40k sample is probably biased, but if you assume it's not actually biased, your second point doesn't hold, because the ones he couldn't crack are presumptively strong, so adding in the ones that he knows are strong because he found them in some plaintext form, that leaves about 500 passwords out of 40k that he couldn't find. If anything, the uncracked passwords bias you towards thinking their passwords are stronger, since it's possible that some of them are just weak passwords stored in some non-standard way, or there's a salt included in the program that he missed or something.