If the account is being used by a application, website, etc, then they are service accounts, not System Accounts. Generally, service account passwords aren't set to expire; otherwise, when they do things can fall over unless you have a very robust system in that can automatically change all the references to that password in the right places, at the right time. With Service Accounts, you need to endeavour that the account only has access to do what it's allowed to/should do, and just that. On a website, this might mean that the account only has access to run Stored Procedures; anything else after that are inherited.

For your System Administrators, then yes, expiry is a good practice. A lot of places as well have it so that System Administrators have 2 accounts. 1 for day to day, and a second which has sysadmin privs. This means that they can't "accidentally" do something they normally could as an SA but also, should their normal account be compromised, the other is not.