Re: why have ANY upper limit?
This argument is rather baffling. Any password-verifier mechanism using a decent digest (aka "hash") will be storing enough entropy to represent around 50 alphanumeric characters.
The "position in the hashed space" is irrelevant. Password verifiers created with a competent algorithm aren't broken by analysis; they're broken by brute force, using precomputed values (when no salt was used, or when the salt and preimage length are short enough to make rainbow tables feasible) and/or parallel trials with a (mutating) dictionary of short and common passwords.
So longer passphrases are very much useful, assuming a competent password-verifier mechanism.
And we don't know what Foxit are doing. They may have a competent verifier mechanism with an incompetent front end (thus the 20-character limit). They may have a competent verifier mechanism and front end with an incompetent policy for no good reason. They may have an incompetent mechanism, such as an unsalted hash or worse.