...we should add basic security to the curriculum at schools? I'm sure I'll be parroting what others have said already, but all password systems need to allow letters (case mattering), numbers, and special characters. Further I think they should require them. Length limits are good, and 8 is a decent starting point. Obvious pass words should be blacklisted as being done here. Perhaps implement a check against other user info like birth-date and such to refuse passwords involving 2 and 4 year birth year dates, etc.
Making password management easier for folks without it being a program they have to buy or spend a lot on will go a long way too. Being able to make one really long random strong password and have it applied to all websites would make things easier for the average user. Obviously they could then protect that with only one other password which they would need to memorize. Of course a keylogger could cause a problem there, but that's an issue no matter what.
At least with a central program, if a system was found to be rooted, once cleared the program could be used to push out a new password for all accounts, with a new master password for the program. No idea how feasible this would be though. First have to get all websites on board with decent password systems. Still far too many out there that restrict to text/digits only passwords, which is part of the problem. Especially when some of these sites are banks. Would also need sites to stop using login fields that a browser or other software cannot detect. That doesn't stop a keylogger, and only makes logins more of a PITA for the user.