An exception can be found for every rule, in just about anything.
Nitpicking specific examples and then saying "oh, well this disproves it" proves nothing. 99 out of a 100 times, blaming the user isn't the right move. For the sake of brevity, I used ever and always.
Ah, but we're discussing a specific domain, security, where I think "the user is always right" is often wrong. Requiring a user to memorize 10+ essentially random characters, for example, is an awful user experience, but it is required for security purposes.
Personally, I prefer keys (long, randomly-generated passwords stored in a file or device) to passwords, but I don't know of any reasonable way to authenticate to a webapp with a key.
Nitpicking specific examples and then saying "oh, well this disproves it" proves nothing. 99 out of a 100 times, blaming the user isn't the right move. For the sake of brevity, I used ever and always.