This isnt about the security team being lazy, this is more about the security team being bad at what they do. It has been shown over and over that forcing password changes is LESS secure. For anyone that wants to hack someones TMobile account, it is really easy, all you need to do is get access to their desks or wherever they store their passwords for accounts like this. Usually a post it note on their desk. If you are lucky you can get it from a selfie at their desk with it accidentally in the background.
From 2016: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes We have known for a while now that password resets are ineffective and even less secure, especially since many users will write down the password, store it on their phone, or like I see at the office ALL the time, just put their password right on a post it note on their desktop, for co-workers, utility guys and janitors to enjoy. Not to mention the social media posts. I went through my friends pictures and about half of them had shots at their desk or with their laptop with at least a partially visible password. You are really making social engineering easier with this.
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.