@sakuraime You are right, when this command is used without the --append parameter, it generates a new application password and overwrites the existing one.
There is no out of the box CLI command to update the new password in a Keyvault secret.
You will have to update it using az keyvault secret set command.
Please let us know if you have any questions.
----------
If an answer is helpful, please click on or upvote which might help other community members reading this thread.