Possibly a holdover from the old, bad days of storing passwords in plaintext in the database, somebody said "nobody's going to need more than X characters," and it became a hard limit.
And then, later, when we all switched over to storing hashes instead of storing passwords, the idea of character limits never got quite all the way to the front end. (I'm working on a system right now that has a 35-character password limit. Granted, it's for mobile phones, where typing that much is a huge pain.)
Seriously, get rid of that limit - not all people type their passwords manually.
For instance, I have an online password generator that does a HMAC_SHA256 from a key + the domain name. I don't have to type the result - I just copy/paste !!!
I also get pretty annoyed when the validation in place asks me to also put an upper char or a number in it - as if a 15 chars password like that is any less safer than a 70 chars password that's made of only dictionary words + padding, which would be easier to remember but a lot harder to brute force.
Seriously, password validation these days is totally screwed.
And then, later, when we all switched over to storing hashes instead of storing passwords, the idea of character limits never got quite all the way to the front end. (I'm working on a system right now that has a 35-character password limit. Granted, it's for mobile phones, where typing that much is a huge pain.)