This is also a factor in the weakness of the 10 tries before lockout mentioned in the OP. You can go thru all accounts, trying 10 times each with a mix of dictionary and short passwords. Without some sort of password strength requirement, you’re going to get into a lot of accounts.
Note that a site might notice a lot of tries coming from one IP address and block that one. (Although maybe there’s just a lot of users coming in from behind one company’s NAT router.) But a botnet will get around that.
Note also, the botnet can be working against thousands of sites.
Companies aren’t trying to protect your account. They are trying to avoid the headaches for them caused by thousands of users with bad passwords.
A good hashing function is strictly one-way. If a password can be decrypted by the site then it is run by idiots. Someone, perhaps an insider, can get the password file and the key and go to town.
Ever notice a site asking you the old password before allowing you to change your password? It saves the old one plain text for a bit to compare to your new password.
A site always needs to ask you for your old password before changing it, even if it isn’t comparing it to the new one. If they didn’t, then it’d be trivial for attackers to get in just by changing the password to something they know.
Only if the attacker is able to get at your account when it is already signed on; otherwise they won’t (or shouldn’t) be able to get to the prompt for changing the password. That said, it is a good feature for situations where people stay signed on without necessarily being at their keyboard every minute even though other people are physically nearby.
One thing to keep in mind is that no non-trivial software is perfect. Flaws against password checking systems are found all the time. (Reading Slashdot regularly will easily persuade you of this.)
One relevant recent post they had was to this article about brute force amplification of attacks on WordPress. Turns out, you can do hundreds, maybe a thousand simultaneous password attempts in a single login try due to parallel execution of the checking method.
Having a lousy WordPress password greatly increases your chances of getting cracked.
Don’t trust the site to have all that great of software/people. Do the best at your end.
If you are Hillary Clinton or the head of a movie studio who just pissed off the North Koreans, and someone is specifically targeting you, you are in far more danger than if you are some random shnook. My childhood phone number has long since been given to someone else. I wouldn’t use it, but it would be reasonably difficult for someone to get it on the internet. Or impossible - numbers were not portable when my parents moved.
My passwords are memorable non-words with number and character substitutions for some letters. And they are long enough.
Use a password manager. That way, you only need to memorize one password and can access the others as needed.
Use acronyms as memory prompts to reliably memorize semi-random character strings (not truly random because some first letters are more common, but good enough for the purpose of defeating dictionary attacks). This gives you most of the strength of a moderately long phrase in a password that fits in a dozen-or-so character limit.