I'd love to penalize any attempt at password auth. Not the IP addresses, just if you're dumb enough to try sending a password to my ssh server, you're going to wait a good long time for the failure response.
Actually I might even want to let them into a "shell" that really screws with them, but that's far outside of ssh's scope.
Yeah you're right, the screw-with-them-shell would have to be strictly a honeypot thing, with a custom-compiled ssh and all the usual guard rails around a honeypot. The password tarpit could stay, though script kiddie tools probably scale well enough now that it's not costing them much of anything.
Actually I might even want to let them into a "shell" that really screws with them, but that's far outside of ssh's scope.