Yuck, yuck, and doubleyuck! All this means is that either

• Everyone uses "test123" (or similarly stupid passwords)
• They're like me and they use the same three "secure" passwords for everything
• They write down their passwords on a sticky note and put it on their monitor
• They put everything in a password vault and use an insecure password (like their son's name) for that.

You cannot take the idiot out of the user, so plan accordingly. If I break into a user account, I shouldn't be able to do anything more than screw with that specific user. If I can bring down the site by grabbing a low-priv account, that's the problem. It's the user's responsability to choose and use a good password. It's your responsability to protect the other users when (not if!) they don't.