Would you believe my school was still using those in 1993?*
Locking out user accounts after 3 unsuccessful attempts is a pretty blunt response and can result in unnecessary support overhead for the provider, not to mention irate users/customers. Yes, it's their fault and for their own good but when has that ever stopped someone complaining?
A better solution - at least for normal accounts - is to put delays on the logins after unsuccessful attempts. If I was designing a system, I'd allow 2-3 attempts and then have an increasing time out applied - starting with 15 seconds. Depending on the type of service you might then put a lock-out after 10 or more attempts in a short space of time.
Again, depending on the service, this might be a timed lock-out - say 30 minutes. If this gets hit to much, you can have stronger lock-outs that require intervention to resolve.
You could also make it so that it has separate timers per IP and can track when multiple attempts are made from different IPs in a short space of time, indicating potential access by a botnet.
Going more advanced, you can add a notification system that sends an e-mail or SMS to the owner of the account when there have been X amount of attempts.
The point is that the options are numerous and very flexible so there is even less excuse not to implement at least something. None of the above options are in any way new - all are in use and any vendor supplying the type of service that Apple are will have a development team who are are more than capable of implementing any combination of these measures.
* - Actually, through to 1997 . . .