I've been saying this for a decade
This advice is from the 90s when password exploits were typically based on an attacker getting hold of the encrypted passwords and running crackers or rainbow tables against them. People weren't required to have good passwords back then so they were possible to crack.
Once you started seeing the uppercase/lowercase/number/punctuation type rules enforcing better passwords the return on investment for grabbing encrypted passwords was greatly diminished (at least for ones that protect real stuff, sites like El Reg that don't require good passwords could still have them trivially cracked, but there's no gain for anyone cracking Reg commentard passwords)
You can enforce some pretty nasty passwords if they know they are able to keep them forever, at least for several years instead of only 90 days. I've seen some places that required admin passwords be reset every THIRTY days. You are pretty much guaranteed that people will either write them down, cycle through a list of 'good' passwords they use at other places, or do something like HardPassword1234 HardPassword2345 etc. (I used the latter)
It will take another decade before this obsolete advice of frequent password resets gets removed from 'common wisdom' and checklists of generic security audits, unfortunately.