Re: why have ANY upper limit?
It is pretty standard for PHP.
To a first approximation, this is a synonym for "that's a horrible way to do it".
Since password_hash hashes the input, there's little point in taking the SHA-256 hash of it first. Even if the submitted passphrase is > 72 characters and is truncated, 72 characters from a decent character set has around 430 bits of entropy, so you're better off letting it truncate.
If you really want to hash first, you should be using hash_hmac with a hard-coded or configurable secret (sometimes called "pepper"), per the NIST recommendations; that makes rainbow tables for weak passwords more expensive.
If you don't specify an algorithm identifier, you get whatever your PHP version has picked for the default. Currently that's bcrypt; Argon2 would be a better choice.
Biting the hand that feeds IT
