Comment by littlestymaar

If you have an attacker that can gain access on 25% of its attempts, it doesn't matter it there is a botnet with millions of IPs, they would still have around 25% success rate on just 10 IPs, it bas nothing to do with brute force, it just means you have plenty of compromised accounts in the wild and you want to prevent bad actors from using them at scale.

The threat model is entirely different from what your brute force phrase implies, and it is also a threat model that isn't relevant to banking, which was the topic of the discussion in the first place. And more importantly, it doesn't affect the security of the user.