I work for a company that does the banking websites for several major banks (not going to mention any names here). We have a few customers who have quite low password length limits. There isn't any technical reason for this. We provide a configuration option that the bank can set to limit password lengths. So from my experience, the limits have less to do with technical reasons, and are instead arbitrary "business logic" limits.
I'm just not part of any of those discussions. Besides, the code around passwords and their configuration has barely changed in the last decade; and the people who wrote it are now the ones discussing security with the banks.
