As already mentioned by multiple commenters, the article fails to address any weakness or flaw in Randall Munroe's four-random-words scheme. Given a 2000-ish word dictionary, the xkcd scheme ensures 44 bits of entropy. It seems like Bruce Schneier mistook the scheme as one relying on sheer password length (which would have yielded 117-ish bits of entropy for the xkcd example) rather than dictionary size. Either way, I'd like to hear from Bruce what he meant.
As for the "Schneier Scheme", it has a deceptive (and significant) weakness: The sentences people will tend to choose will not be random or unique. They will be based on famous quotes, song lyrics, company slogans, catchphrases, memes, and poem verses. This, coupled with the near-certainty that people will want a password of a reasonable length, leads the industrious password cracker to do something like this:
(disclaimer: I have actually used a scheme identical to Schneiers method for over a decade, but I would prefer to switch to the xkcd scheme today if most password policies didn't require numerics and special chars)
Collect poetry (all the popular stuff is easy to find), lyrics (millions of tracks easily found), quote collections (readily available), movie scripts (easily gotten from subtitle databases) and the all-time-greatest-hits of the Gutenberg collection. This would amount to a good chunk of data at first glance, but in reality it shouldn't be more than a couple of gigabytes. Still, too much to process by hand, so we throw a little bit of Big Data processing at it; a small Hadoop cluster should make short work of it.
First we split all the text into smaller chunks, by sentence or part-of-sentence -- whatever feels reasonable, possibly multiple ways to account for passwords starting mid-sentence
Then we strip all but the first letter of each word and remove all the spaces. Special characters like dashes are kept, words with common single-char abbreviations are rewritten ('and' to '&', 'you' to 'u', 'one' to '1'..). The result is a large (perhaps even too large) corpus of 'Schneier Scheme' strings encompassing every well-known sentence in the english language, including some punctuation and all the expected upper-lowercasing.
Of course, the above corpus is still a bit large, so we weed out the too-short and too-long strings, since most sites/systems require a minimum password length, and most people will not want to type much more than maybe 12 characters. This brings our corpus size down a little.
Finally, we do some qualitative scoring on the strings; we might do a simple case-insensitive word count on the results in case some gibberish strings tend to appear more commonly; we might construct a suffix trie of the entire corpus, we might use frequency analysis on bigrams and trigrams, and we might give additional weight to this year's pop songs or recent blockbuster movies; and through all this arrive at a (still very large) corpus of 6-12 character strings, sorted by some (admittedly fuzzy, but probably not half bad) measure of 'likelihood'.
Finally we return just the top million strings or so -- hardly a challenge for any decent password cracker tool, and it'll find every single instance of "Ik1g&Ili" -- "I kissed a girl and I liked it".
Couple these with some mutating appendages and I'm betting you'll break most real-world "Schneier Scheme" passwords. Not because the scheme itself is broken (it's not), but because people are pragmatic and not very good at generating (or remembering) personal, unique sentences.
People want something they can remember, and the more "pattern-breaking" (i.e. hard) transformations they do to the string, the harder their password becomes to remember. Most people will choose a quote they like, include a comma or a dash in the correct place, capitalize the correct word(s) and perhaps add an appendage (especially if the original sentence wasn't very long).
Worse yet, some people will actually choose a unique sentence they like, but they'll choose one they like so much that it can be mined right off their own Twitter/Facebook/Google+ feeds.
Anyway, to make a long story short: I'd still like to hear Bruce elaborate on why he won't recommend the xkcd scheme.