I don’t agree with that. Regular password rotation increases the opportunity for phishing attacks because people become used to sleep walking through it. And users are generally just adding one or two characters to the password anyway.
Instead, that energy is better spent on requiring strong passwords and people using password managers and two-factor.
Password rotation in this context is for the infrastructure, not normal user accounts.
There are other options for securing/managing infrastructure access (e.g. PKI, Hashicorp Vault), but if you're using passwords, it's a good idea to rotate them if only to encourage good practices around automation.
Instead, that energy is better spent on requiring strong passwords and people using password managers and two-factor.