mysql_secure_installation performs direct updates on mysql.global_priv. If it is instructed to set a password for root, it inserts the authentication_string value, but not password_last_changed, and then it reloads privileges. So, if the server is running with non-zero default_password_lifetime, the rest of the script will fail, as root won't be allowed to do anything anymore.

Change the root password? [Y/n] y

New password: 

Re-enter new password: 

Password updated successfully!

Reloading privilege tables..

 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone

to log into MariaDB without having to have a user account created for

them.  This is intended only for testing, and to make the installation

go a bit smoother.  You should remove them before moving into a

production environment.

Remove anonymous users? [Y/n] y

ERROR 1820 (HY000) at line 1: You must SET PASSWORD before executing this statement

 ... Failed!

If it default_password_lifetime is configured later , then root will get blocked as soon as the value is set, even if it's only been minutes after mysql_secure_installation had finished, which is also somewhat embarrassing.