From the thousands of clients I have worked with (I’ve worked at WP Engine and Pagely), most sites are brute-forced on very simple passwords (colours, names etc), especially WordPress sites rather than some vulnerability from a plugin, theme or WordPress itself. Still, that’s exactly the purpose of enforcing complexity - to slow down a brute force attack. Preventing attacks is something that needs to be done proactively too so complexity + disabling accounts after X amount of failed login attempts is enough to protect an account. The same thing applies to dual-logins, (http auth + cms login), 2 step verification etc.
The article you’ve shown is an opinion from a regular person who owns a company that generates less than £10k of revenue a year, not a security or psychological expert. It’s safer to enforce complexity and let a customer write down the password than it is to let the customer use the password “yellow1” because most breaches are done from a remote location, guessed or brute-forced, not by someone who has physical access to you or your possessions. Even using a password manager is safer because it gets users in the habit of generating different passwords for every account so if one is breached, the rest are safe.
When you have car insurance, you don’t expect to have an accident every day but it does give you peace of mind. With the same principle, even if DreamHost has a low number of breaches, it’s still about giving peace of mind. Giving us the option to enforcing SSL on webmail is another way to protect our clients who use open WiFi hotspots to login.
The reality is, people don’t fully understand the gravity of what occurs when their email is hacked until it’s too late. They need to be forced to protect themselves, not asked.