The Schneier article is puzzling; the security of the diceware/XKCD scheme doesn't rely on the word list being secret, just on the words from the list being chosen randomly. 4 words randomly chosen from a list of 5000 provide about 49 bits of entropy when the list of words is fully known.
Against an attacker who knows exactly how you chose your password, it's (roughly) the same level of security as a 14-digit numeric code, or an 8 letter case-sensitive alphanumeric code. It's just supposed to be easier to remember.
His point is that using actual, grammatically correct, sentences is not the same as using several random words. As your mobile keyboard autocomplete well knows, after a certain word there are words more probable than others.
How many people use this kind of approach, I don't know. Schneier seems to focus on "three random letters" kind of attacker.
Against an attacker who knows exactly how you chose your password, it's (roughly) the same level of security as a 14-digit numeric code, or an 8 letter case-sensitive alphanumeric code. It's just supposed to be easier to remember.