They specifically addressed the temporal element:

> They haven’t kept up.

Other standards all used to recommend password rotation. Most have amended it to deprecate or even prohibit password rotation.

> Once technology offered up solutions to problems like password managers and breach notifications, that recommendation changed

It wasn’t just that.

The original recommendation for password expiration failed to take into account the human practices that resulted.

Everyone has worked in an office with passwords on post-it notes, or seen passwords numbered with sequentially incremented integers at the end. Password rotation isn’t merely a baseline level of assurance, it has a negative impact on security because of the effect it has on password hygiene. In practice, passwords that expire can be easily guessed by appending something to the end of the prior password. And they are more likely to be written down in plaintext.

Permanent, non-expiring passwords without MFA are stronger in practice than expiring passwords.