They may be limiting entropy to make it easier for users to remember their password. A user that can't log in is most likely one that will churn.

I don't think firms like the electric company or (payroll company) ADP are worried that I'll churn.

Also, the Venn diagram of "memorable" and "reasonably secure" really only intersects in the region of "Correct horse battery staple" phrases -- and the problematic sites I'm talking about nearly always limit length, which thwarts that type of password terribly. What is the purpose of maxlength on a password?? These shouldn't be stored in any form other than a hash, so unless long enough to pose a DoS threat during the hashing process, length is truly none of their business.