The issue is that people build databases of common passwords to try, and as the advice to create passwords change, so do the databases. Websites block how many attempts someone can make to get into your account (or at least they should!) but when a hacker gets an entire password file for a website, they can run software that will brute-force as many guesses as possible against the encrypted passwords, because computers have gotten really really fast at brute-force attacks, and people have developed really clever ways to brute-force passwords.
One of those really clever ways to brute-force passwords involves trying to figure out which words and which letters are most likely to appear next to each other, and song lyrics in particular have a lot of websites that have a really exhaustive list of sample text (there being approximately 80,000 song lyrics databases out there). Ditto movie quotes, book quotes, etc. The "correct horse battery staple" technique XKCD recommends only works if the words are truly and honestly random and are less likely to have ever appeared next to each other in any known body of text. (I will also note that four words is generally not enough anymore, and there's a dictionary size problem: you need a large dictionary to select the random words from.) Our brains are really bad at randomness; most of us have a lot of the same associations between words that make us more likely to think of the next words from a much smaller list. (Think of those free-association party icebreakers: a lot of the times, people will say words that are similar to the one you were thinking of, right?)
A lot of the security advice for the average person with no elevated threat model (people like activists, journalists in oppressive regimes, etc) revolves around making your accounts harder than everyone else's to break into, because most malicious people will be satisfied with just breaking into the easiest 25% or whatever: for those people, if it's a question of "this is the only way I'll ever remember this master password", it's "okay-ish but not great" if you use a quote from something (but it's safer, if you do, to rephrase it or change a few words so it's not exactly the quote that's likely to be in quote databases). But every step you take to further transform the particular mnemonic you use is going to make things even safer against brute-force attacks.
Re: Password Managers
One of those really clever ways to brute-force passwords involves trying to figure out which words and which letters are most likely to appear next to each other, and song lyrics in particular have a lot of websites that have a really exhaustive list of sample text (there being approximately 80,000 song lyrics databases out there). Ditto movie quotes, book quotes, etc. The "correct horse battery staple" technique XKCD recommends only works if the words are truly and honestly random and are less likely to have ever appeared next to each other in any known body of text. (I will also note that four words is generally not enough anymore, and there's a dictionary size problem: you need a large dictionary to select the random words from.) Our brains are really bad at randomness; most of us have a lot of the same associations between words that make us more likely to think of the next words from a much smaller list. (Think of those free-association party icebreakers: a lot of the times, people will say words that are similar to the one you were thinking of, right?)
A lot of the security advice for the average person with no elevated threat model (people like activists, journalists in oppressive regimes, etc) revolves around making your accounts harder than everyone else's to break into, because most malicious people will be satisfied with just breaking into the easiest 25% or whatever: for those people, if it's a question of "this is the only way I'll ever remember this master password", it's "okay-ish but not great" if you use a quote from something (but it's safer, if you do, to rephrase it or change a few words so it's not exactly the quote that's likely to be in quote databases). But every step you take to further transform the particular mnemonic you use is going to make things even safer against brute-force attacks.