Every bank I have used will lock the account after a small number of failed attempts; sure it's a DoS, but that's the price you pay. You are right about the botnet work around, but if you have one you can just watch people logging in without needing to brute force anything! The real problem for people who break into bank accounts is where to transfer / spend the money that can't be traced.