I am wondering why in this commit the password is cleared immediately after use, rather than in the format_status callback? (Is it the case that format_status may not be called in some abnormal exits?)

The password isn’t needed after that point, and the safest way to avoid leaking secrets is to not have them.