Well, you could. Whether you should depends on the context, including importance of security, importance of institutional stability, other available mechanisms for punishment, &c...
But honestly, I mostly just thought the inconsistency between your two figures was amusing.
The inconsistency is a result of the fact that that number came from a one-time, expensive, intrusive audit that necessarily covered a subset of all our people. Even then we didn't go through anyone's wallet where I would expect to find at least that many.
After that the password policy was substantially relaxed so people could remember them more easily, and dire warnings were issued about writing them (and safe combinations) down. I moved on to a new job shortly after, so I'm not sure how much those warnings were taken to heart.
