In the VMXEXITB SAMPLE exec, there is a comment that states "There are also a number of terminals with address 5xx which are secured-area terminals and should be disabled by the journal count, but not by rules". 

I'm not sure I understand this.  If the terminals are disabled by the journal count, then no one will be able to log on to that terminal, correct? 

What does it mean when you say they won't be disabled by the rules?

When the TERMPASS user exit is in place, one thing you can do is add a rule to the SYSTEM rules file so that the terminal can't log on any further.  

The journal is cleared when the rule is added or the terminal gets the password correct before the limit of invalid passwords is reached.

Yes, they may want to only JOURNAL the invalid logons for the secure terminals so in an emergency a person that has auth to use the JOURNAL RESET  can clear them.

However the business may not want that person to have RULES authorization to be able to change rules so they only JOURNAL the emergency terminals to allow work to continue (controlled environment).

Rule updating can have more consequences then journal clearing so rule updating may be limited to one or a few.

Customers that are under a mandate to get division of power may use that sort of exit logic.  

The exit is, of course, just a sample/example and each customer should change as needed.