66% accept notoriously weak passwords such as "123456" or "password"
How should a web site determine whether a given password is "notoriously weak"?
66% make no attempt to block entry after 10 incorrect password entries
Where does "10" come from, and how long should entry be blocked? We don't want customers to become ex-customers when they discover that they have to make international telephone calls at a dollar per minute or more to get their accounts unblocked.
60% do not provide any advice on how to create a strong password during signup
One site I manage uses the following, with a link to Wikipedia's page about password strength and xkcd's comic about passphrases: "Either 8 or more characters using at least one letter and one digit or a phrase of 16 or more characters using at least one letter, and not easy to guess"
and only 14% display a password meter
I don't know how it's possible to "display a password meter" to users of NoScript.