Scratching my head wondering why a system administrator who defines and enforces the security policy is blaming it's users for weak passwords?
Service owners can set the minimum criteria for password strength, complexity, and expiration. They can also test users choices against lists of known common passwords. If there are unacceptable risks, additional services can be included to protect access, such as change notifications, login-tracking communications, and Multi-Factor Authentication (MFA) mechanisms.
If you built and oversee the system, why would you vilify those who operate within the acceptable parameters you have defined?