When the credentials are wrong, the server sends you back a page containing the filled username and perhaps also the password. That should be done with https, and caching headers asking not to store it, but there's the possibility that the error page that was sent with the provided password in the source is stored somewhere (browser cache, an intermediate proxy…).
When there's an asynchronous login, the page itself is not reloaded, and thus this issue doesn't happen.
With a login form, you pretty much always want to blank the password, as the user will have to retype it anyway since it was wrong (and is unlikely to know which was his typo).
The debate on whether to-blank-or-not-blank the password field usually arises when dealing with the registration form. There it is likely that an unrelated field is rejected (eg. username taken) and the user needs to provide a new username (which may turn out not be available, either) and the password and password confirmation. That makes an unpleasant UI. And there there are different opinions on which should wine.