NIST like the UK NCSC now advises against expiring passwords, following literal decades of UCL research concluding this. Everyone is now asking — when will UCL IT follow? https://www.thetimes.com/article/311a6e7a-a0a9-431d-b573-386249b2bc2c?shareToken=9ad1196c3b9c58b48172cec9cdef99a9

All considered, corporate America has still not backed away from this.. and I think that is because most USA companies use Microsoft AD. There is no way that MS is going to send down an edict that 'it was wrong' AND regrettably most admins see Microsoft (not NIST, etc) as authoritative.