When applying those rules to employees, a company has the authority and the employees will 'suffer it'. I know of half a dozen folk near me who have recently aquired broadband (amazing when you think about it).
One is in his 70s.
Three are over 50.
One is a trademan in his 40s.
The other is in his 20s.
Only the latter appreciates decent security, and that's just because he's been exposed to college IT systems and the usual risks therein. I agree completely with the sentiment that users should have a password policy approach, but it's not realistic for many, and if I cast myself back to when I first used the web, if an ISp stated that a password should be 12 characters, must be varied case etc, I'd be wondering why, considering I didn't use banking or online shopping or the like.
Perhaps those who do should get a heads-up once in a while. Like I said occasional reminders, and over time the minimum criteria can be turned up.