* For "moderately" strong passwords (say, ones which need 10,000 attempts to get), getting at your encrypted files means the difference between you being able to throttle-and-disable a serial guesser and having the password hacked (bonus points if that was the password your user uses on other sites with the same usernames.)
* An attacker can go over the file to find "extremely" easy password for some user.
* A determined attacker can test hundreds of millions of passwords for a specific user, and know when he succeeded, before you ever notice it. So unless your website has a "change password every year" policy, the attacker can breach even "moderately strong" passwords.
This is even before issues like "well proven encryption libraries" are still broken, and if the one you used is broken, your file is still out there.
This doesn't mean that it cannot be done, with enough care -- but it does mean that if you avoid doing it, it's a big relief, and a big potential crisis averted.
In my database I store hashes obtained with Blowfish:
How many tries would you have to do to guess it? And for the other passwords you have to start all over again.
I think that storing them is not more difficult, it is more convenient and secure (of course this is relative). But maybe I am missing something about the security of this scheme.