Why do some websites force users to come up with difficult passwords?

When a site implements something, it is always to serve their interests; however, this sometimes coincides with serving the user's interests as well, e.g. as in "protecting the users against themselves", which is the case here.

The point of the restrictions is to (try to) make the password harder to guess by an attacker. Truly, preventing some users from using some specific password values mathematically reduces the number of possible passwords; but, practically, this is more about forbidding the easy passwords that users would almost always choose if they had the choice. The total number of possible passwords is ludicrously large. If we consider that a password may include letters (lowercase and uppercase), digits, and, say, some punctuation signs which are accessible from a common keyboard; and if we allow passwords to go up to 30 characters in length, then the number of possible passwords is equal to 157935773974908502215194845377591539584935386309545795005451 (including the "empty password" of length 0; otherwise, subtract 1 to that count). Possible passwords are not a scarce resource, and there is little problem in removing a few billions from that count.

The scare resource is user imagination and patience. Given the possibility, most users will use short passwords with only lowercase letters, because that's what most easy to remember and type. And they will pick "meaningful" words, e.g. "castle" and not "bsigrz". The attacker knows that: easy passwords are the first that he will try, and there are not many of them, so the attacker will succeed.

The "password rules" are an attempt to force users away from the easy passwords. If you force them to include a digit and an uppercase letter, they will do so, but with a digit that the attacker cannot predict, and with the uppercaseness applied to a random letter. (At least theoretically; in practice, users will put the uppercase on the first letter, and the digit will be added at the end, and will be a '1'). The fervent hope is that this will increase the number of possible passwords that user will effectively choose, and thus make things harder for the attacker.

Password rules may backfire, sometimes spectacularly; users will forget their password and nag the helpdesk; users will write the password on a stick-up note cunningly concealed under the keyboard. (As far as backfiring goes, writing a complex password on a piece of paper stored in the user's wallet is not that bad: at least, users care about the whereabouts of their wallet.) One very common instance of backfiring is, exactly, having a "usual" password which the user uses with many sites. This means that a security breach on one site immediately extends to all other sites on which the user also has an account. That's Bad.