They're like me and they use the same three "secure" passwords for everything
They write down their passwords on a sticky note and put it on their monitor
They put everything in a password vault and use an insecure password (like their son's name) for that.
You cannot take the idiot out of the user, so plan accordingly. If I break into a user account, I shouldn't be able to do anything more than screw with that specific user. If I can bring down the site by grabbing a low-priv account, that's the problem. It's the user's responsability to choose and use a good password. It's your responsability to protect the other users when (not if!) they don't.
My criteria for good software:
Does it work?
Can someone else come in, make a change, and be reasonably certain no bugs were introduced?