"a really good password can be kept for DECADES, so long as it's hard to guess and easy to remember."
No password no matter how long is immune to shoulder-surfing and keyboard sniffing. In which case, the resultant breach could go unnoticed for decades, too.
Which would you rather have? A bunch of weak passwords that at least get changed every two months, closing any holes they might have made or stagnant passwords that in turn get stolen and go unnoticed?