That is valid question to ask authors of systems that do not allow passwords longer than 12 characters (or 8, which is another popular upper limit, which can have some vaguely meaningful technical reason for legacy systems).
My old bank required an exactly 5 character password.
They had two factor authentication though, with a phone call or SMS. What happened if you forgot your password? Well you had to reset it, using only phone call/SMS, of course!
Banks are more willing to eat the fraud costs involved with real-world compromised PIN codes than to deal with the customer support for forgetful users.
Oh, but they have a 4-digit pin, too! That makes it oh so much more secure.