I believe that our security team is getting most of this from our auditors, who seem convinced that minimal complexity, password history etc are the way to go despite the fact that, as you say, server-side password checks can't really be implemented when the database receives a hash rather than a clear text password and password minimal complexity etc is not perhaps considered the gold standard it once was.
In fact, I think they see a hashed password as a disadvantage.
Wow, full stop right there. This is a hill to die on.
Push back and get some competent auditors. This should not be a DBAs problem. Your best bet is to use Kerberos, and throw the password requirements out of the database realm entirely.
Also, the discussion should be about 2FA, not password history/complexity.
