im just being devil's advocate here.... ;-)
Its ok, that's the point of having an open discussion like this
To answer your question (at least from my point of view), they have set a
minimum of 10 characters which which can be fairly secure if all criteria is met (lowercase, uppercase etc). It is based on statistics. The longer a password the more time it will take to get cracked, the harder it is for an attacker. Keep in mind that for every extra character you add the difficulty in cracking grows exponentially.
You can set a 12, 20, 50 character password if you want, that's even better! But imagine the reaction they would get from the customers if they set a minimum character length of 24, 30 etc
Even though it wouldn't really make much difference to an admin, since most of the times they use random password generators, the fact they would see such requirement would make them mad.
Just for a reference, for a 6 char password, including lower/uppercase letters + digits + special chars, there are
735,091,890,625 possible combinations. For a 10 char one there are
59,873,693,923,837,895,000.
By the way nobody claimed that its absolutely safe. Its just certainly safer. I guess they are trying to balance things out by not applying stricter formulas.
IF I am not mistaken, for PCI compliance you required to set a password of at least 7 chars.