This is *not* a bug.
Some messages have FAO (Formatted ASCII Output) directives in them. !UB is the directive for unsigned byte decimal. (See the $FAO system service doc for a complete list.)
The audit server gets the final status, but not any of the arguments to fill in. When displayed, if the final status maps to message, that's what is displayed. SS$_INVPWDLEN is 9108 (decimal.) Try:
$ WRITE SYS$OUTPUT F$MESSAGE (9108)
and you'll get exactly the message you saw in the audit record.
$ WRITE SYS$OUTPUT F$FAO(F$MESSAGE (9108), 15)
would give you a fully-formatted message.
Because the minimum password length is defined on a per-user basis, the message needs to have a variable base number. When the message is displayed in context, the number is correct. When the status is converted to a message in the audit, it's obvious that the user chose a too-short password, but you'd have to check the user record in SYSUAF to determine what the number should be. The user was given the fully-formatted message.
One important note: The password maximum was raised to 64 for V9.x, but not all access software has caught up. Until you are certain that your connection method supports passwords longer than 32, it's safer to stick to 32 or fewer characters.
Added in 13 minutes 48 seconds:
As an aside, it is worth nothing that password expiration times are no longer considered best practice (e.g. see
https://pages.nist.gov/800-63-FAQ/#q-b05). While I am aware that it is possible to remove them using the AUTHORIZE utility, VSI may want to consider removing or extending the default expiration period.
I'm quite familiar with the NIST best practices for memorized secrets. Unfortunately, the rest of the world hasn't caught up. As a best practice, it's preferable to ship standard accounts in a mostly-locked-down state and let the system administrator modify in accordance with local policy.
That said, you shouldn't remove password lifetime entirely. Instead, you should set it to a very large value, say 9999 days. "Why?", you ask. Because an account with no password lifetime will never be allowed to change an expired password at login. If there's no password lifetime, how does the password become expired? Setting the password via AUTHORIZE marks the password expired by default. Or the system administrator can simply force all passwords to expire in the case of a suspected breach. Go with the long expiration.