This is one of the most important barriers to security. If secure practices are seen to get in the way of the more important things a users does (or those things which a user perceives to be most important), then these practices will be avoided by users.
A large number of support calls (estimates go as high as 70% [Trickey, 1998]) are password-related, and a large percentage of these calls are for forgotten passwords. It is fairly common practice to have users ``locked out" so they can only make a limited number of attempts to log in before they must make a support call. Getting locked out means a larger amount of wasted time for the individual, and time spent making support calls does not particularly reflect well upon an individual in a workplace. When it's so simple and seemingly harmless to write down a password, and the alternative is a lot of wasted time and potentially some loss of face, the choice seems clear. After all, the wasted time is guaranteed - an intrusion isn't all that likely, right?