Still fairly new to the world of computer security myself, so anyone can feel free to correct me of course, but basically;

While adding capitals, lowercase, numbers, etc does make the password more complex, it also makes it harder for the average user to remember. This means that many users reuse the same password across multiple sites/platforms. Or they use shorter passwords with common tricks like Pa$$word1. That checks all the requirements for a “secure” password but it really isn’t. Hackers know that people use $ in place of S, people often use some variation of “password” in their password, and the number is usually a 1 or something easily guessable like the year they were born.

So the more up to date recommendation is to use a long and strong password (like at least 12 characters long), or a password manager and 2FA.