The strength of the password is relevant in the scenario where the password was actually brute-forced through an interface. If it was jesus01 (or something else common - typically religious), then it may be an easy hack for the hacker.
iCloud would surely block consecutive, failed login attempts. From the post, reading years and years, opens up the possibility that it may have been something the hacker was following for some time. Therefore, he would have been blocked, but may have come back in 1 week to try again.
The possibility is a bit far-fetched, but it exists. The likelihood that this was actually the case is extremely low.
I _strongly_ suspect the iCloud web login will block brute force attempts. What I do wonder though, is if there's some other place an iCloud/AppleID login can be brute forced without appropriate rate limiting? Maybe an IAP API endpoint? Or an in app advertising endpoint? I wonder if the "check whether an IAP succeeded" API that the "just redirect you dns to my server and add my root cert" "exploit" uses is failing to block brute force attempts?
Even if iCloud allowed 10 failed logins before locking out for an hour, every hour, every day for seven years, that would still only let you crack a 4 digit lowercase-alphanumeric password. I'd be willing to bet that either the attacker took the password from something or that 'alphanumeric' is a misleadingly good description for the password.
