You seem determined to play the "it can't work" hand and I'm damned if I can figure out why.
Security is a Risk Analysis game - it always has been. To do it correctly, password policy should be subject to that. If the potential damage from using accounts with poor passwords is low and/or unlikely, then you have a low risk situation. Little need to enforce 70 character passwords. If the potential damage* is high, but only to a very small number, thus reducing the likelihood, then the risk is not really increased a great deal. And so on. Sometimes, bad passwords and poor controls is actually not a problem. Even in a corp.
Wade.
* Sometimes the damage is more ephemeral than real. People's egos, for instance.