On a quick scan that looks like interesting analysis. Though one point that I find most run-downs like that miss is the number of accounts that are throw-aways, where the user simply doesn't care and will never use it again. At that point using "123456" or "password" isn't an issue, anyone who hacks the account gets nothing more than they would get if they just created a throw-away account themselves.
The hacker can grief / spam everyone else in the system from this "normal" account. Depends how much public interaction / content posting there is, though.
True, but this is not really a problem for the user, but a problem for the system. It is reasonable to assume that the user that creates these type of accounts does not really care about the security of the system either.
