I have a dozen passwords to keep track of with frequent password change rules and obscure rules like password must contain a symbol and a number and a capital letter. Rules like these make it more difficult for humans to remember than it does for computers to crack.
Having to change them all regularly makes it nearly impossible to keep them all memorized. So users usually end up either recording them somewhere where they can be discovered. Or they use the same password for many different systems and a vulunerability in one system will compromise many systems.