Following firebits's message, I did the following test (we using Office 365):
I modified the “Default MDM Policy” in “Security and compiliance” (https://protection.office.com/devicev2) by changing the minimum password length from 4 to 5 characters;
I changed the device password to a 5-digit password;
The device has become compliant;
I subsequently re-modified the MDM Policy by changing the minimum password length to 4 characters;
I changed the device password back to a 4-digit password;
The device is still compliant.
Please note that I have not made any changes in Endpoint Manager compliance policies for “Personally-owned work profiles” or “Android Compliance Policy”. The problem seems to be related to the Default MDM Policy in “Security and compiliance” in Office 365.
Why does this work? I've no idea!