We can customize Access Denied page for a web application through PowerShell script below.
$site = get-spsite "http://intranet.company.local"
$webApp = $site.WebApplication
However, there is one problem.
Users may access the site without domain name, such as "http://intranet". In that case, the customized Access Denied page is ignored, and users will see the OOTB page.
How to fix this issue? We have two options.
1. Create a separate zone for the web application, specify "intranet" in Host Header.
2. In IIS Site Bindings, add "Intranet" to the site.
Which one is better? It depends on how many WFE servers are there, and how much RAM a WFE server has, and, whether the SharePoint Administrator want to modify IIS settings manually.