I agree with your logic regarding websites where if they get in they really can't do anything that's harmful or destructive to you. Example of that would be some free website, say for BMW enthusiasts. Amazon or similar that has your credit card on file, they could change the ship to address, the email address, the password, and then order a lot of stuff. You previously cited your electric bill as an example. If all you can do there is pay the bill, then I'd agree. But some now have the capability to also enter requests to terminate service. While a hacker can't profit from that, some teenage hacker might think it's a funny joke.
I start to get annoyed when websites impose ridiculous pwd rules, like insisting that you not only use letters and numbers, but also that it has to have upper and lower case. I find that very annoying, because I can remember a password with a couple digits added, but remembering which letters have to be caps for the few that require that is pushing it.
And how long the pwd is, isn't a very good metric of how secure it is. For example "password" is 8 characters, but obviously a really bad choice compared to "xugj". One bad practice is to use the same pwd for all websites. Using the same one for a financial institution as you use for that BMW enthusiast website, that could be hosted in someone's bedroom, isn't a good idea. You don't need a different one for each place, but using some logic, having a few, keeping them segregated is a good idea.