It is not controversial, it is wrong. You calculator is just that, a calculator that states how many combinations there are available. Unfortunately, by enforcing complexity you have just removed any password from the available pool that does not meet your complexity requirements and drastically reduced the amount of time needed. However, this is pretty moot now as brute force password cracking is only really available once the password DB has been obtained. Most online compromises are now performed by using password breach lists (Password spray attacks) so checking that passwords are not on a breach list is really important - you are not doing this. The password Mississippi1 complies to your complexity rules and can be set as a password but it exists in the top 100 most common passwords.
Removing complexity makes passwords easier to remember and encouraging pass phrases makes passwords easier to remember and harder to crack. Users mostly do the same thing when they create a password with complexity, they add a number to the end, or a ! and the bad actors know this.
https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/
What can you do to improve:
Add federation to allow user of Google, Microsoft or Apple accounts to signin - one less password for a user to remember and these companies are very good at security.
Enable passkeys - The next gen in internet security
Add compromised password checking - use a service such as https://haveibeenpwned.com/API/v3#PwnedPasswords which will stop any compromised password being set and therefore drastically reducing the success of password spray attacks.
Remove complexity to increase the available number of passwords and make them easier to remember.
Side note, happy to sell you some consultancy on this