Passphrases *can* be done securely; most people won't. They will concatenate simple words, which means if I have a dictionary of, say, the top 1,000 words, it's still reasonably feasible to crack.
For instance, here are some long passphrase-like passwords that I cracked from the LinkedIn debacle. They used plain MD5 as the hash, which admittedly helps cracking a lot. I haven't tried the depleted hash list in a long time, but I'm willing to bet with advances in both OCLHashcat and my own skills, I could get quite a bit more.
24 sociological imagination
20 Restoration Hardware
At the end of the day, there's just no substitute for a long random password.