I don't really understand why a separate poweroff
command is needed at all...
That's exactly what I find fascinating. Given the design of services, there has to be a way to start and stop services cleanly (whether that's a real or only perceived need is a good question). Therefore, there has to be a shutdown command. Clearly, the user of the shutdown command needs to be able to specify what their desired end-state is: Power off, halt (but keep power on, for a warm start), and immediate reboot (which is down with -p, -h and -r options). Great.
Contrariwise, there seems to be a need for a rapid shutdown that bypasses the nice clean way of stopping the services. This is where commands like reboot and halt come in. It turns out that once again there are options such as -p. For consistency, it would make more sense if poweroff was a command like reboot and halt; but it isn't. When do you really need to use these commands? As you said, only when things are already borken.
This is actually an area that systemd does correctly. Internally, it has only one shutdown mechanism (all the existing commands are just light-weight aliases for various systemctl invocations). There, you usually do shutdown, but if you don't want to wait for a clean stop of services and only use the two signals that cracauer@ described above, then you use the -f flag. And if you don't even want to do the signals, then you use -f twice. This seems very logical to me.
My personal opinion is actually that the whole discussion is wrong-headed. All services and system facilities need to be designed to survive a full crash (CPU stops on a dime), partial crash (some threads stop when a core dies, but other cores in an SMP keep running), and full power failure (where not even peripherals like disks are given time to finish the last IO). In the best of all possible worlds, the system should tolerate this, with only minimal impact on recovery (for example, a few seconds during the next boot to recover partially done transactions from logs). In this world-view, the correct way to power off a system is to hit the power switch without warning anyone about it, and similarly the reset button for reboot. (Side remark: If you have human users, you should clearly warn them about a planned outage, so they can arrange their schedules around it, like go have a coffee.) If systems were designed this way (and some are, ZFS gets pretty close), the only commands you'd need are rudimentary versions of halt/reboot/poweroff, which allow performing the function of the NMI button, reset button and power switch from a keyboard. But traditional Unix systems are not designed this way, which makes them more vulnerable to unintended outages.