Your security is only as good as the weakest link, which is usually people. If your password policy encourages users to stick a note to their screen then your weakest link is anyone in the office deciding to take a selfie or joining a call with their camera on. Best practices balance security with what users are actually willing to do.
It’s a little weirder than that.
https://lastplacecomics.com/lasso-man/
And some follow-up comics.
https://lastplacecomics.com/paint-bucket-man/
https://lastplacecomics.com/copy-and-paste/
https://lastplacecomics.com/lasso-man-4/