I’ve had several companies, including cyber insurers, ask for specific password expiry policies and when I’ve gone back to them explaining that we don’t expire passwords and referencing the NCSC and NIST advice all of them have accepted that without any arguments.
As you say, these are largely box ticking exercises but you don’t have to accept the limited options they give you as long as you can justify your position
And to add to this, it can sometimes be helpful to reply to every wrongheaded security request with "I am not going to decrease the security of my users.". You can use before or after, but once you've explained why a request is not permissible, you can use this line instead of repeatedly explaining.
As you say, these are largely box ticking exercises but you don’t have to accept the limited options they give you as long as you can justify your position