Why would the "Security division" of a certain 3 letter company have such a horrible password policy?

Why would the "Security division" of a certain 3 letter company have such a horrible password policy?