Interesting topic. I think it's fairly obvious that the granular rights approach is the most effective to date. However, this really doesn't fix the problem of password sharing for the users who feel they need more rights, no matter what anyone says. Nor does it fix the more universal problem, that we (IT) share more passwords than most.
In the 'old days' it was pretty close to this:
(source: 'A Beautiful Mind')
Now, it's gotten a little bit better with apps like 'KeePass' (at least we are trying to encrypt things now). But I still see more clients using a common local login for network gear than I see using TACACS+. We all do it (most all anyways) and we justify it through rationalizations that we need to login constantly all over the network and don't have time to use a different password for everything. Which is kind of funny really, since TACACS+ would solve that problem.
Of course, we also have 10 million other things in our faces at all times and a complete redesign of the processes and behaviors we use behind authentication is unreasonable on the surface. But, just like everything else related to security, it just takes one incident...