CasPol is written in managed code, and as such is subject to the CLR's security policy system just like any other piece of managed code. Generally this is not a problem for it, since it is granted FullTrust by two separate code groups in the default policy, the MyComputer code group and the Microsoft strong name code group.
Even if a local administrator has decided not to blindly grant FullTrust to all code living on the local machine, CasPol will still be given FullTrust via code group 1.1.1. But what if that code group were to also stop granting FullTrust? At that point, your managed apps would be in a world of hurt, including CasPol. In fact, depending on the final grant set, CasPol would be likely unable to work itself. Because of this issue, CasPol will actually resist any attempts to put the policy in this state:
However, if you do pass the -force switch to CasPol, or through your own code, or any other mechanism get the policy to a state where CasPol cannot recover it, don't worry ... there's still a way to get your machine into a valid state without reinstalling the framework.
All you need to do is delete the security policy from your disk. As an Administrator delete %WINDIR%\Microsoft.NET\Framework\<version directory>\config\Security.config and Security.config.cch. This will remove the machine level policy. Then, run caspol -all -reset in order to put back the default policy .... otherwise you'll be in a state where you grant FullTrust to all code (assuming you have no code groups on other policy levels).