Part of the trouble is that not everyone installing SME is an accomplished linux sysadmin. The development team has done such a good job that a trained monkey could install SME 7 on most hardware.
That's a great thing, until a newbie admin tries to set up a weak user password, like they used for the admin password during setup. When they do, they get an error explaining the password criteria. So they provide a password that has a mix of uppercase, lower case, numeric and punctuation characters. I used "Amanda1!" as a test case. And I received another error telling me my password was based on a dictionary word.
About this time, our hypothetical newbie admin is thoroughly frustrated, and ditches SME in favor of whatever Microsoft product they're familiar with.
Or worse yet, they stay with SME, but forget to reset the weak admin password they supplied at installation, so they get rooted by script kiddies, and wind up ditching Linux in favor of the "more secure" Windows platform.
I'm still of the opinion that there should be a password policy page in the panel, and that it should include an option for enforced password change intervals. This would help mitigate the risk of establishing a weak admin password during installation that never expires. And if I could write the code myself, I would.