Is there a reason why certain sites don't allow periods in passwords?

They're brain-dead and scared of punctuation in general - and dot counts as punctuation. It is more a case of 'friendly-fire' than dot being dangerous. Dash is pretty harmless too.

One of the concerns is SQL Injection, of course. The other is competency of programming workforce.

I worked at one place that wanted to be able to read passwords over the phone (that's how support was done). Support people didn't know all the names for symbols (hash, bang, pipe, ampersand/and, asterisk/star) and other issues (which left bracket do you mean, which quote, etc). So they didn't allow any punctuation.

Not a good reason (support shouldn't know my password), but you didn't ask for only good reasons :)

No reason at all, except for sloppy DB coding where they would allow plain text in the DB or use the (non-portable) DB functions to hash the password and use direct SQL statement.This seems just like plain string validation.

Other than that, on the practical side, special character placement in foreign or cramped keyboard is tricky and might be more frustrating for users that are traveling (or in the more modern case alternative input like onscreen keyboard on smartphone).Some websites might even push the system further by providing their own on-screen keyboard to log in (with various scrambling).

Disallowing special characters helps QA, and reduces multi-platform user frustration.

And finally, allowing a limited (deemed safe) character set (that is not only punctuation but also more language specific characters in Unicode), developer can also avoid encoding confusion between the browser and the server application (form data encoding is not very clear in the standard, and can be tricky on some browsers).