2 is an interesting point. Let's say you want to rate limit login attempts to help reduce brute force attacks. How would you recommend doing it if not by ip? You can tie it to the specific username being requested but this has other downsides, ie. you can DOS someones account by sending fraudulent login attempts to it, and it also doesn't prevent attacks where people just test previously leaked username / password combos against your site.
Rate limiting by IP is trivial to work around. If you’re doing something white/grayhat there are plenty of services that will allow you to affordably "lease" as many IP addresswas as you need for very short amounts of time. For blackhat purposes it’s only slightly more effort and even cheaper to do the same thing, illegally of course.
Not at all, it's a stupid idea. You are trying to nail down an identity without authentication, that can not work. If you use credentials with sufficiently high entropy, which you should do anyway, you don't have a problem that this could be the solution to.
From a consumer standpoint the problems I've run into and heard about are:
1. Can't use port-forwarding anymore since you can't configure the ISPs router doing the NAT
2. A bad neighbor sharing your IP can get you IP banned on sites that still think IP address is a good way to block/throttle bad players
3. Connections can be unstable if there's a lot of connections going on, so prime-time can often run into issues.