Actually the main reason I have seen in practice is that banks still use a lot of legacy software in their core banking systems and many of the green screen mainframe programs have things like maximum password length of 10 characters or no punctuation (alphanumeric allowed). Of course eminently solvable but still surprisingly common.