On the other hand, and still in reference to the Risk Register, we question if it is reasonable to consider the 'vulnerability' weak password in the Asset-Human Resources (top management, employees, etc.), rather than in the more obvious Asset-IT and communication equipment (desktop computers, mobile devices, etc.)? This, in the sense that our people set their passwords, are expected to comply with the password construction guidelines/Password Policy; and at the end, it can be through their following of the rules that this can be assessed. We are not certain if this approach makes sense, is viable.
Since you are considering the weak password vulnerability to be related to people's behavior, then it makes sense to consider it for Human-related assets in this case, but please note that you can also have situations where this vulnerability can also be defined for IT equipment.
For example, some equipment only allows pin numbers as passwords, or it is not possible to enforce password rules o them, then in this case you can also define weak passwords as a vulnerability for IT equipment. You can use only one of these two vulnerabilities, or you can use both if they are all applicable.