Why would HMAC be inappropriate in this case (of storing user credentials)? Is there a vulnerability?

HMAC(key, password) instead of hash(password) or hash(salt+password)

I don't know of any attack. However, my point is just that HMAC means using hashing for a message authentication code. Encrypting hashes makes more sense as to what's going on.