If you lock the account, you allow a trivial DoS. If you lock the IP, anyone with a botnet can trivially work around it. And with enough accounts, you can just scan the entire space of (possible) accounts for anyone with a particular PIN.
Every bank I have used will lock the account after a small number of failed attempts; sure it's a DoS, but that's the price you pay. You are right about the botnet work around, but if you have one you can just watch people logging in without needing to brute force anything! The real problem for people who break into bank accounts is where to transfer / spend the money that can't be traced.
