So, if a users password is now invalid, and $wgInvalidPasswordReset is set, they're taken to the password reset form. Great. But they can then just click cancel and carry on with their business. Which doesn't help resolve the issue.
Please choose a new password now, or click "Cancel" to reset it later.
Of course, you can then prevent login to those with invalid passwords, and force them to do a password reset via email... Which isn't so nice.
So, we need a way to force users to do a password, and not let them do anything else (but allow them to login and reach the reset form)