The reason "HORSE" is less secure than "HOR5E" is because you can complete the rest of the word from the starting few letters, because the words architecture is set by the English language layout.
Except that crackers are well versed in the notion of letter substitution. It's trivial to include 0 (zero) alongside o and O in a dictionary attack.
3) It's not like in the films where you can brute force a password any longer. Pretty much all systems will not allow repeated and rapid password entries without flagging an attack attempt, so even say 100 possible combinations of password are pretty secure in reality
Where this falls down is when you're not actually attacking live accounts. In the two cases mentioned previously, the user database was compromised meaning that the hackers had an offline copy of usernames and password hashes. Any login delays or automatic lockouts are immediately moot.
Now, the passwords were encrypted (hashed), but using MD5. MD5's flaw here is that it's cryptographically fast - it's easy to compute MD5 hashes. With a modest PC you can brute-force a six-character password in as many seconds, an eight-character password in a couple of hours. How many folk have passwords longer than eight characters? Statistically few, I'd wager.