We also wouldn't be having an issue with password leaks as I expect it would be simpler to move on to passkeys (or something else) than implementing a standard way of password rotation...
They're hard to explain to users, the implementations want to lock people to specific devices and phones, you can't tell someone a passkey nor type it in easily over a serial link or between two devices which don't have electronic connectivity.
