Its not the users fault...
The whole problem of measuring security through password entropy is that you are putting the emphasis on the security on the weakest link and the area you have least control. The only reason that this seems to happen is that it reduces the provider liability.
As has already been stated, far better than longer and longer passwords is to introduce 2FA and login delays on incorrect logins. But this takes effort on the providers part, so we blame the users for choosing relatively easy to remember passwords.
The argument that if users choose short passwords means that passwords files are easy to decrypt again misses the point. It is not the users fault if a password file is stolen, nor is it there fault is the password is not stored in a salted method which should be at laest as good protection against dictionary attack as other password methods