That was one of the points in the article. Since the merchant implements the limit and not the bank itself, you work across N merchants and you get plenty of attempts.
And if the merchant is trying to be "consumer friendly" and accepts a relatively high number of failures before blocking the transaction, the allowed number of attempts is probably staggering.
And if the merchant is trying to be "consumer friendly" and accepts a relatively high number of failures before blocking the transaction, the allowed number of attempts is probably staggering.