As someone explained in a different comment above, modern exploit scripts will just rotate around through the entire database, trying different userid’s in series to avoid hitting rate limits per userid. Most criminals don’t actually care WHOSE account they hack, as long as they can get some monetary or data value out of any hacked account.
And, if you do a hard lock-out, that’s an easy way for an attacker to DoS your entire user base in short order.
And, if you do a hard lock-out, that’s an easy way for an attacker to DoS your entire user base in short order.