In case there was any question, people follow bad password practices. Duh.
And it’s not a matter of education. People know the rules, they just don’t follow them.
Looking at my own practices, there are some “bad” things I do, and some things I do that are outside of average. I tend to reuse some passwords more than I should, but they’re not trivial passwords, and I keep them pretty secure. (I also have different levels for different types of accounts — things having to do with money vs. access to other sites.)
I could do better — but, then, the same thing keeps me from doing so as keeps everyone else: convenience / laziness. Constructing difficult passwords with different character types, recycling them periodically, and choosing different ones for every site … is, frankly, impossible.
Things need to shift, either to some sort of more persistent (and secure) user identification (single sign-on sort of thing), or else some sort of biometrics. Both of those have problems that go with them, but userid/password combos do, too, and we’ve reached the limits of what we can do to address them.