In the meantime no one can remember all these passwords and writes them down, making it super easy for anyone to know the persons password. I have worked at a college with a 90 day password change policy (and long complex passwords) and 75% of people had a sticky note somewhere around their desk with their current password on it because almost no one could remember them all. At the time I worked support and when going onsite I could easily have collected almost everyones passwords if I wanted. Most of IT didn't really remember the (multiple) sets of passwords either and so made use of password keychain programs to remember for them.
I always found concepts like ITSM silly. Very little of it has any proof backing up their 'scores', but yet so much of the industry just accepts it.