passwords you can remember are easy for attackers to guess.
But, maybe one of the key issues is that password policies are universally so bad that consumers can't do the right thing because they can't figure out what that is! We've been living with that old dogma of.... say it with me...
That's been around since the 60's. Perhaps it worked in a world when people had only one password, when systems weren't all networked together, and attacking systems wasn't the lucrative business it is now.