Click for full-size
It should be obvious that salting is not enough. Even with a site that has 10 million users, an attacker can make millions of guesses per user per day against salted SHA-1* or MD5. A strong password hash literally makes password cracking a million times harder. If an attacker can only guess a handful of passwords per day, per user, then any user with a password that isn't his name, username, or on one of the worst passwords lists is probably going to be okay. There is some safety in numbers.
If an attacker targets a single account, he can still make millions of guesses per day, even with a strong password hash. There is no safety in numbers once the attacker is focused on you. Pick good passwords.
* I used SHA-1 as an example because it's common. The SHA-2 family are stronger cryptographic hashes, but they don't provide any significant benefit beyond SHA-1 for password hashing.
Edit: I'd like to point out that, for simplicity, these numbers do not factor in the number of passwords that are actually cracked along the way.
Edit #2: I expanded the graphic to include user counts of 10k, 100k, and 10M. Thank you Solar Designer for the suggestion.