But security across multiple sites _has_ to be fixed on the person end, because it can't be fixed on the system end. If you use the same password for 10,000 sites, there's no fix on the 'system' end to make them all secure, because they're all run by different people. It only takes one of them to fuck up.

Third option: there is no "fix," on either end, so telling people to change all their passwords is pointless.

I fixed it for myself by using a password manager. I only have to worry about securing the (encrypted) database, which is comparatively trivial.

I'm still vulnerable to the "supercomputer cracks your encryption" attack but that's orders of magnitude better than having my bank account compromised because some blog leaked my universal password.

Edit: If there were no fix, changing all of your passwords would be the only option besides letting the Internet at large have your accounts. Unless I'm misreading you.

The example was 10,000 sites, so changing all of your passwords being the only option is no option at all.

Good security comes in layers. You are right that you can't control all the layers, but you can make the layers you do control stronger. In today's world (which isn't ideal) that means good password management.