Not trolling here...I know this is the most common criticism: "Your password is only X characters long / doesn't have enough case diversity / has no special characters / contains dictionary words", etc.
But -- in general, someone either has your password because they stole it (in which case it really doesn't matter what the password is), or they don't, in which case they have to guess or brute-force it on the website.
Most sites won't give you more than a handful of attempts at logging in before they lock you out and force two-step authentication by making you change your password via an email/text or by asking security questions. And even if they somehow didn't, every failed attempt on a live website takes time; realistically, trying more than a few combinations isn't really worth the trouble in the vast majority of cases.
So, in the realm of security considerations, why is a "secure" password considered so critical? It seems to me that, practically speaking, someone guessing your password is about the LEAST likely way to get compromised. What am I missing here?