There are quite a few scenarios where a sustained, hidden compromise is an (or several) order of magnitude worse than a one time obvious compromise.
The first to come to mind is a corporate espionage scenario. Do you want to know what your competitor is up to today, or do you want access to their briefings/CAD/code for the next 12 months? Long duration compromises also allow you to slip data out slowly, so a NAS doesn't show 200GB being transferred off in a matter of hours, but a slow drip of 100MB a day.
At a personal/home use level, long term access to a bank account allows an attacker to build up a spending profile, which depending on your habits, could be used for blackmail.
Password rotation doesn't fix that because the difference between myLongPassWordThatDoesntChange and myLongPassWordThatRotates7 is effectively meaningless. An adversary who has your current password can almost certainly guess your next one because changing the 7 to an 8 is a pretty obvious step, and it's one that most people do when forced to rotate.
Forcing password rotation guarantees that most people will just use the shortest possible password and stick some rotating suffix on it because your policy is pointless and annoying. You make yourself the adversary when you enforce policies like this and people stop trying to be secure and just try to get on with life.
The reality is that passwords are being deprecated as strong security boundaries.
We've been working under this fantasy that it's acceptable to make a "strong" password and have a meaningful expectation that you can maintain the security and integrity of access. Multi factor authentication is the best solution to this problem -- a moderately complex password with MFA is stinger than a password.
If you want to compromise somebody long-term, you move laterally within the targets network and infect multiple devices.
Anecdotal and only related to your last paragraph, but as a security researcher I can say that 99% of the time attacks on a personal bank account are never "long term." Most of time, regardless of skill, hackers get in, cash out and disappear. It's far more lucrative (and generally safer) to empty the account than try to blackmail someone based on spending habits.
I happen to know of a bank exploit in which the attackers compromised one thousand online accounts, and attacked all them (transferring funds) on the same day.
Presumably the attackers were worried that after several transfers the bank would notice and block further access, so they kept a roster of compromised accounts to attack all at once. I suppose that a password rotation policy would have helped mitigate damage in this case, though something like fail2ban or automated IDS would have been better.
again if your corp doesn't have a policy for off-boarding employees and removing their access then you've failed. If your corp doesn't have a policy of not having shared accounts then you've failed... if you are forced to have shared accounts then you need to have in your off-boarding policy that anyone who had access (which was a purely need to know basis) once off-boarded would trigger that password change.
The point being that what you are seeing as benefits of password expiration are better achieved with proper polices that management and HR operate under... while password expiration may in some ways help you achieve your goal in a lazy manner it also opens you to ALL your employee's using weaker passwords and giving you way more attack points than the off chance that someone decides to not follow the policies you established above.
Also none of those policies require an "IT pro" ... implementing them might, but understanding the goal of the policy and putting them into place is something any good management team should be able to accomplish.
I agree with you in principal, but is also important to remember that policy != practice. For a policy against shared accounts, for example, there is no reasonable way to guarantee that Employee A has not given his password to Fired Employee B.
The first to come to mind is a corporate espionage scenario. Do you want to know what your competitor is up to today, or do you want access to their briefings/CAD/code for the next 12 months? Long duration compromises also allow you to slip data out slowly, so a NAS doesn't show 200GB being transferred off in a matter of hours, but a slow drip of 100MB a day.
At a personal/home use level, long term access to a bank account allows an attacker to build up a spending profile, which depending on your habits, could be used for blackmail.