Because it's not true! Or at least not the way it was explained. The reason to change your password is to avoid the vector of attack where someone gets your password and can therefore use it against you. If you change your password each month, you limit the damage the person can do to whatever they can achieve in that month. Similarly if they have your username and don't have your password, they only have a month to try as many combinations as they can.
To say that is is 'the only way' is certainly not true. However, it does help in these circumstances and that's why it is a method which is used - mostly in companies as far as I can tell.
I think corporations are just as worried about employee X willingly giving account info to employee Y, as they are about a malicious attack.
Of course the real fix for both scenarios is two-factor authentication. Not something that practically begs the user to either write their password down or append apr-11 to their normal password.
To say that is is 'the only way' is certainly not true. However, it does help in these circumstances and that's why it is a method which is used - mostly in companies as far as I can tell.