If you have a password policy, and you have extra plugins that implement the check_password_policy callback to add more constraints on the password, then it can be easy to generate a password which doesn't actually meet the password policy.
1) Add a new callback 'generate_password' to round out check_password_policy adn print_password_policy which can mutate / append to the newly generate password. I think if there is a clash between the $maxlen=10 function param and $CFG->minpasswordlength then the latter should take precedence as we'll almost always be making it longer and more complicated.
2) I can imagine some curve balls that make this non deterministic, and so core should actually test the new password against the policy after it's been generated. If it doesn't pass then retry a couple times and the either debug message or maybe an moodle_exception.