You have to put credit on and then do something chargeable at least once every 90 days - send a text or whatever. Eventually it will run out of credit.
It makes business sense, if you think about it. What is the point of potentially tying up a mobile number from a limited pool when you've no idea if it's even in use any more.
If your security solution can send a system status text every (say) six weeks, you will be able to plumb a reminder into your phone to predict that text and the predicted need for more credit. If the status text doesn't arrive when your alarm goes off, it's a sign that something has gone wrong, and you get to find out before something bad actually happens.