For the same reason why periodic password changes are recommended: neither the card holder nor the card issuer can be sure that the card (info) is not stolen or otherwise used for fraud. This is especially true if the card holder is not actively using the card and/or not checking the account activity in short enough intervals.

Since the likelihood of abuse approaches 1 while time approaches infinity, the easiest method to mitigate that risk for all ephemeral^1 security features is to replace them and thus reset the clock regardless of concrete evidence of abuse. If my house key is stolen I can simply change the locks; I don’t need to buy a new door or a new house. If my banking card are abused I only need a new card and not an entirely new account. If I accidentally type my Reddit password into a comment field and hit “submit” (because I didn’t notice I was already logged in and confused the log-in form with the comment submission form) then I’ll just assign a different password; no need to get a new account.

(This is one reason why many security researchers aren’t too fond of biometric properties as proof of authority since they can still be “stolen” and abused but they cannot be changed easily or at all – without maiming the carrier.)

—

^1 Meaning that the feature is just some made-up pattern that we agreed is essential to prove identify, authorisation, etc. That pattern could be a piece of (secret) information or a piece of specifically shaped metal that just so happens to unlock one particular door. (I’m aware that “ephemeral” has a different meaning in the context of cryptographic protocols but that’s not what I mean here.)