You're cherry-picking pretty heavily: there's a lot of cargo-culted password advice but the current push for user-friendlier password management practices and fundamental model changes (e.g. two-factor with U2F) has been lead by security experts who have, for many years, been loudly reminding everyone that usability is a security requirement rather than an inherent conflict.
You are probably right about cherry picking. I know a lot of experts are aware of the problems but from an end user perspective security usability is still horrible and inconsistent.
No argument there — it's really interesting seeing the divide ultimately becoming users and experts on one side and people who are not experts but are setting policies anyway on the other.
Or often managers who are very concerned about doing the right thing but don't have an expert that they know/trust and so rely on their understanding, which is probably based on the horrible finance sites they use.
I once spend several weeks having meetings where people tried to develop a login management process on a whiteboard from first-principles — in the federal government where the right answer was “We'll follow the central security group's required process” – because they didn't have a security consultant but knew security was a Really Big Deal and didn't want anyone to think they weren't thinking about it.
