I don't think many realise that, in a way, a lot of this is not personal. It's not about your account, about you being targeted.
Every minute of every day, millions of digital probes get sent out over the Internet by powerful machines/computers to test the possibility of accessing data held on servers run by organisations that provide services we need. Not all the probes are malevolent, some are used by companies to test their digital resilience. However, they are all looking for weaknesses, a way into people's personal data. (I'm not including forms of espionage in these comments.)
Sometimes the criminals will get lucky, they will manage to harvest data held on a poorly managed server.
Your password is not just used to allow you to access your data, it is used to encrypt your data when they are stored too. The the more complicated your passwords, the harder your data are to read. Criminals may not bother to decrypt your data but just sell harvested data in bulk on the dark Web. They have already made money from possessing information about you.
At this stage, more automatic programs will kick in. If machines can decrypt the data, they will and they will use it. They will automatically collate data comparing it using huge data bases. They won't know that someone only has a paltry amount in an account, they don't care. A few taps on a keyboard and many are targeted at once.
The victims have to deal with getting new cards, the loss of confidence, empty accounts, responsibility for spamming emails, changing passwords is the least of the problem.
I know how annoying passwords are but also how difficult the use of other means of identification are too. For the time being, I think we are stuck with them.
In a way, using strong passwords is a bit like being vaccinated. If we all make passwords difficult, it is no longer easy for criminals to gain entry to our data and make victims of us.