Doesn't HPKP become useless after the max age has expired?
Yes, after the timeout is reached, the pin is no longer effective. But the expectation is that you will eventually visit the page again before your pin expires, thus refreshing the timeout again and updating the pins. It can be dangerous to never let a pin expire because you could lock out previous users forever if you accidentally let them pin the wrong key just once.
Isn't it obvious that an attacker will wait until their max age is expired and then perform the attack?
Such an attacker has to be very patient and make a few assumptions. The victim may not visit the site regularly since that would extend the timeout on each visit. Additionally, the attack has to be still feasible after that time. Two months can be long for a CA breach to remain undetected.
Ultimately it's a trade-off which RFC 7469 ("Public Key Pinning Extension for HTTP") explains in the section on Security Considerations:
4.1. Maximum max-age
[...] There is a security trade-off in that low maximum
values provide a narrow window of protection for users who visit the
Known Pinned Host only infrequently, while high maximum values might
result in a UA's inability to successfully perform Pin Validation for
a Known Pinned Host if the UA's noted Pins and the host's true Pins
diverge.
(UA = User Agent, meaning your browser)
The RFC recommends an expiry time around 60 days (which is exactly the time Github uses):
There is probably no ideal upper limit to the max-age directive
that would satisfy all use cases. However, a value on the order of
60 days (5,184,000 seconds) may be considered a balance between the
two competing security concerns.
