We definitely should! The current state of infosec as practiced, regarding, say, vulnerability to email trojan horses, is like using sharp knives for door handles, that instead of just mangling your fingers make a copy of the door keys and mail them to people who sent you emails. And then insisting that repeated user training is enough, and a cost-efficient counter-measure. Even in the face of repeated evidence that it's not.

A rested, focused, well-trained human is almost bug-free. No one is rested, focused or well-trained 100% of the time.

Well, after everybody and their mother pushed for 2FA they realized people can still get phished for the 2FA token, so...

If the service that you're running is not made by idiots that will store your password with anything weaker than PBKDF2 then a strong (unique) password is still a good bet.

Human factors are an issue and I believe lack of enforcement and prosecution is another issue.

To me it is obvious that passwords are insecure. Just think how many people are saving them in a browser without a master password, share them in internal chats, use same password everywhere because it's difficult to remember several passwords etc.