We shouldn't make such proclamations based on reasoning along. Security policy that involves human behavior depends extensively on what humans do. So while a particular security policy may be the safest, most rational thing to do, it may fail in practice if people execute it poorly.
So, if it is true that when people regularly change their passwords, they pick poorer passwords, then perhaps those poor passwords are a larger risk than the risk of maintaining a compromised password. Again, this is not a question of what is the most rational policy. It is a question of human behavior, which means in order to find an answer, we need to study what people actually do.
I googled to see if I could find studies on this, and I did: "The True Cost of Unusable Password Policies: Password Use in the Wild" by Philip Inglesant & M. Angela Sasse: http://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf I have yet to read it in full, but they do touch on this idea at least some.
Cryptography in it's own principals are based on probability. If ignoring physical access attacks, social engineering attacks, etc are acceptable to you then yes, you can keep a "good" password for a long time. You also have to accept that out of all possible attacks accounting for nothing but brute force and basic dictionary attacks is 'enough' then you should also acknowledge the risks.
I think you're missing my key point: you have to compare two different risks, based on observation. The first risk is the risk of continuing to use a compromised password. The second risk is the risk of users introducing weaker passwords because they continually change them. We can use our reasoning to come up with a decent probability for the first risk. We cannot do so for the second risk, since it depends on how people behave. We must study people to assign a number to the second risk.
I think I see your point but you have to admit you haven't really established a foundation for your argument. You seem to feel (and I may be wrong of course) that one person selecting a fairly secure pass phrase once would be much more secure at any single point in time rather than a hap-hazard, dictionary based pass phrase that in comparison would be likely trivial to compromise at that same point of time. If that is indeed your point you do convey a valid point.
I just ask that if you advertise this method as somehow ideal then please allow for your audience to appreciate it as it is, an "if all else fails it's better than nothing" approach.
You've almost got it, but you've missed the main subtlety: I'm asking a question, not making a statement. I'm not advocating what we should do. I'm stating that what we should do is actually unknown because we don't have all of the information. Specifically, we don't know human behavior when it comes to rotating passwords. If it turns out that people actually choose good passwords under a rotating password policy, then we should keep the rotating password policy.
My only prescription is to say, instead of telling everyone "this is how you should behave" in order to achieve the best security, we should design our security policies based on how people actually behave. My assertion here is that if we do this, we will end up with better actual security than if we came up with a policy that, on paper, is better, but is not well implemented by people in the wild.
So, if it is true that when people regularly change their passwords, they pick poorer passwords, then perhaps those poor passwords are a larger risk than the risk of maintaining a compromised password. Again, this is not a question of what is the most rational policy. It is a question of human behavior, which means in order to find an answer, we need to study what people actually do.
I googled to see if I could find studies on this, and I did: "The True Cost of Unusable Password Policies: Password Use in the Wild" by Philip Inglesant & M. Angela Sasse: http://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf I have yet to read it in full, but they do touch on this idea at least some.