I think the situation for actual PIN codes may be slightly better than suggested; sometimes (in the UK at least) your bank will assign you an initial PIN and I expect many people won’t change it, and by using a dump of passwords, you’ve probably captured some people who have created throwaway accounts and chosen the easiest possible password.