Yeah, it sounds like the real problem is lack of off-site backups. Bad password policies will certainly make it easier for ransomware gangs, but they’re not the only thing that has to go wrong.