This is common. Sometimes a security policy works (e.g. a password length requirement may cause people to come up with stronger password) and sometimes people consider it excessive and prefer to work around it (e.g. a password length requirement may cause people to write the password down on a sticky note and attach it to the computer screen).