I would say not only are many organisations storing unhashed/salted/encrypted passwords, the majority of organisations are doing this (based on my consultancy experience, anyway). This is one of those things developers shove in quickly, then never come back - a classic case of technical debt, albeit one that could destroy your organisation.
Steve's point about most people using the same password over and over is all too true unfortunately. The sheer number of things we're expected to sign up for these days doesn't help...I recently completed an inventory of my online user accounts (prompted by the death of a cousin who left no details behind), and I found I'm registered with around 60 sites...and they are just the accounts I managed to remember. Scary stuff...and yes, I use a different password for each of them.
I wanted to pick up on the point about organisations not restricting password length...can you believe Microsoft limits you to a 16-character password on Office 365? Specifically, between 8 and 16 characters. Not good. Come on Microsoft, take the lead and sort this out!