Having no rules means you have a maximum search space. However, a general audience means that the top X% (lets say 70 to be arbitrary) are going to be in a very small search space... An English word with maybe some numbers substituted in for a letter or two.
OTOH, having password rules means that you eliminate the smallest areas of the search space, so every password resides in a restricted version of the larger space. Fewer possible passwords, but all at a larger complexity to guess.
Then, there are password rules like "no special characters" or "maximum length of 10 characters" which are fantastically stupid and lazy, and only serve to make brute forcing them that much easier.
Maximum lengths only make sense if your password field is stored as a SQL CHAR(10) (or COBOL if they’re into that). Basically a fixed width field and that’s too small for a hash. But even then, they’re a horrible idea.
They also make sense if you're using bcrypt since it has a 72-byte max input length. More modern password hashing fuctiions don't have such a short limit, so you can set a much bigger max length to prevent excessive network traffic & processing (eg 1kB). Since functions like Argon2 have very large max limits (2^32-1 bytes for Argon2) it can make sense to set a shorter limit.
