How Much Security is Needed?: This is a really interesting thought.
If you have a system that locks out a user after too many incorrect logins, then it becomes easy for a malicious user to deny access to your users by simply attempting to log in as them.
You could wreak some havoc with a script that just pelted a site with failed login attempts. You could effectively disable a user — call it a user-specific DOS attack. It would take some log review and some coding or firewall hacking to stop the script, and a lot of sites wouldn’t have the wherewithal to do it.