What's the theory? Nobody is spending a year to crack your passwords or use a leaked password, so either they are strong enough to resist online or offline attacks, or they aren't. If they aren't strong enough, then you would have to rotate much more often than every few years.
Theory is that I'll rotate out passwords insecure? systems.
One case I know is that in one system my old password was hashed with an older method (which was the right choice at the time) and when I reset I'm now using their updated (right choice today) hash.
Another feature is that services I don't use I'm reminded to close/deactivate.
Assuming we start from the position of having a unique, never-before-seen password for each account (which is what we should all be doing, right?), rotating doesn't do anything.
And if we accept that most people don't use unique, never-before-seen passwords and that a password has been included in a plaintext dump, rotating passwords periodically doesn't even protect from password spray attacks, since someone has likely used that password before and you'll still be vulnerable.
