@centaury I'm not talking about defective controls, but working ones, that are in place exactly because users behave as you described. Incidentally such controls are usually found at places that matter (bank, pwstore, etc).
Will such controls protect all users every time? No. But my impressions (which may be wrong, but I don't have any data) is that the impact of data breaches (esp. ones that involve ~only credentials) is diminishing.