You don't have to re-use passwords. In fact, don't re-use passwords. Keeping them in a password manager helps a lot with this. I have over 50 unique passwords which are all long, generated random strings. But there are a few websites, including British Gas, which get shitty weak passwords because they pull dumb crap like this in the name of "security".

People shouldn't but they do.

If they didn't then password breaches would barely matter.

Not true; the password on iOS devices is a 4-digit pin; in my experience, plenty of people either reuse their bank PIN, or just use their DOB.