If the security industry at large actually knew what they were doing, websites wouldn't be instituting such asinine password rules, and my own employer wouldn't have recently cited "industry standard practice" as a reason for requiring I include special characters in my domain password.
But the security industry does know what they are doing. The "industry standard practice" for special characters is to limit the ability of a brute force attack of your password. By requiring a special character, they increased the search space needed to find the password. For an 8 character length password requiring lower case letters, there are 8*26 possible passwords. Add upper case letters, and there are 8*52 possible passwords. Add numbers and there are 8*62 possible passwords. Add special characters and there are 8*94 possible passwords. This requirement fights a specific type of attack vector.
Are there other attack vectors? Sure, and they too have their own security rules to mitigate the chances of a successful attack.