Most attacks are shallow, searching for weak passwords across a large number of accounts or systems. Case in point: the constant bombardment of SSH connections that any computer with an exposed SSH daemon receives. Strict requirements help protect a system from being vulnerable to these “drive-by” attacks by shoring up the minimum password strength on the system.

From the perspective of someone trying to gain access to a particular account, your math is insufficient. Searching a-z will only find passwords that exactly follow the minimum requirements; if someone uses a capital letter or symbol when not required by the sysadmin, they would not find it. Thus, they would have to check capital letters and symbols anyways if they want to be sure.

While some sysadmins go too far (e.g. requiring changes every 10 days), I think a requirements like 8+ characters, lower case, upper case and symbols, not based on a dictionary word or their account name, are all reasonable. It doesn’t matter how long it would take to crack any password of length 9 if the password is “butterfly”.