I am deliberately lazy with my passwords, I choose simple, easy to remember and closely related passwords - precisely what the IT folks hate. Well, come on, just what is the probability that: one, someone will take the time to try and hack my e-mail; two, that if they do they will get anything at all of any use for anything; and three, that they will then try and figure out other accounts I have to do something that is profitable to them and harmful to me? Practically zero. What is the cost to me of trying to keep track of all these complicated passwords? Very high. In fact what you end up doing is writing them down (big no no to the IT types) or using one of these programs that keep them for you under a single password. So the whole endeavor is wasted anyway.
No, I am convinced that the only reason I have to do this is because it is convenient for the IT folks to make me jump through hoops. Why? Well, just one whiny OSU professor (of the hundreds they serve) that has had his e-mail hacked into is a huge headache for them, and the probability of one in hundreds having problems is much higher then my individual probability. On the other hand, they don't have to pay any of the cost of making all of us change our passwords all the time. So in their desire to avoid some extra work, they quite gladly impose an external cost on all of us.
Which of course calls for us to create rules that limit passwords ridiculousness. Why don't these happen? Probably because the IT folks have us over a barrel. We have no idea what they do and why, and could not possibly do it ourselves, so we are afraid of annoying them. Imagine the pain and suffering they could cause.
So change our dang passwords we do - curse you IT devils!