Example 1:
You have an application that is being run on a particular user account. The application requires that the account must not be disabled, but nobody is supposed to directly login to that account. You have used sshd_config, PAM configuration and/or other means to prevent anybody from directly logging on as the application user.
There is a requirement that all users' passwords must expire in 90-day intervals. After implementing this system-wide using /etc/default/security, this requirement applies to the application user too. So now you have a time-bomb in your system: you must refresh the password on the application user account, even though you have blocked any possibility to actually login with that account. If you don't do this, the application stops working.
Solution: after a careful consideration and documentation of your precautions, use userdb to waive the 90-day password renewal requirement for the application user account only.
Example 2:
You have a standard policy that requires all users' passwords to expire in 90-day intervals, implemented in /etc/default/security.
Then the cranky old CIO says: "I don't want to deal with this. Make it so I don't have to."
MK
