I heard about a case where someone built a phone app backend without rate limiting. Someone found this hole and successfully attacked 70,000 accounts by running password dictionary cracks against the authentication API.

Modern distributed systems are simply too fast and users are too dumb with picking passwords to allow unlimited password attempts.