I appreciate that you guys have SAML on your feature list.
The problem is not the password strength; the problem is the number of passwords, as well as the management of them. When I mentioned “password policy”, this is not about the number and type of characters, but about the idea that any user should only have one password, that we are able to enfore password change, that we can manage user lifetimes, etc.
Another issue is the reuse of passwords. (See for example https://www.troyhunt.com/science-of-password-selection/: “What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused passwords and even when I looked at a totally unrelated system – Gawker – reuse was still very high with over two thirds of common email addresses sharing the same password”)
As a service provider, you should appreciate the reduced liability that comes with not managing passwords. If you were to lose your password database (like linkedin and many others), you will quickly come to appreciate how much better life would have been if this was handled by the customers themselves.