In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
You haven’t provided any evidence to support your claim. Online accounts can’t easily be brute forced.
If a hash is leaked you just change the password. As long as you aren’t reusing the same password everywhere you are fine.
If the hashes are leaked and that’s immediately caught and customers are immediately informed, just change your password.