Effective IS Starts, Ends With Security Culture

If the CEO does not have to have a strong password, why should anyone else in the company? If the CEO does not take time to do security awareness training, why should anyone else?