When they say,
We'd lose our security certificate if we allowed pasting [into
input
fields]. It could leave us open to a "brute force" attack.
They forget that their webpage is simply a client of their backend service. There are many other existing ones.
They forget that stopping "brute force" attacks is a matter for their back end.
They forget that JavaScript can be disabled, fail to load or used to turn off 'onpaste'.
They forget that these practices force their customers to use simpler passwords
They forget that their actions make their customers more vulnerable.
They forget that when a user, who was for all intents and purposes forced by them to use a simple guessable password, has their account compromised they use words that put the blame on that user and make them feel bad.
I say forget but I really mean ignore the fact. I guess it's easier to hide behind outdated words and policy than understand the needs of the user, your customers.