no reason at all, except for sloppy DB coding where they would allow plain text in the DB or use the (non-portable) DB functions to hash the password and use direct SQL statement.
This seems just like plain string validation.
Other than that, on the pratical side, special character placement in foreign or cramped keyboard is tricky and might be more frustrating for the user that are traveling (or in more modern case alternative input like onscreen keyboard on smartphone).
Some website might even push the system further by providing their own on-screen keyboard to log in ( with various scrambling ).
Disallowing special char helps QA, and reduced multi-platform user frustration.
And finally, Allowing a limited (deemed safe) character set (that is not only punctuation but also more language specific char in unicode), developper can also avoid encoding confusion between the browser and the server application (form data encoding is not very clear in the standard, and can be tricky on some browser).