I work in the financial lending industry and I can promise you that if we slacked off on security and user credit info is leaked or stolen, it won't matter that the breach came by way of social engineering, brute force password attacks or swarms of pigeons waving flaming torches, everyone in the department gets sanctioned. Some will get reprimands, some will get demotions and some will get fired.
If it comes to a choice of losing your job or inconveniencing a user with a password change every 30, 60 or 90 days, guess who has to learn a new password. And you can bet that if someone in the department notices a breach, they will report it and go on a witch hunt to find the "lazy S.O. B." that had both the responsibility and the authority to fix it.
I read the FA and I find their conclusions don't match my experience. I know, anecdotal evidence isn't evidence but reports like this, done this way will not effect change in either a positive or negative way.