Re: "... running through all possible or likely username-password combinations"
Erm, no.
Works for botnets also.
First, you restrict access to countries that you would legitimately be receiving connections from.
You can then enable whitelisted (what the PC version of whitelist these days, allow list?) IP address / ranges that you know are legit sources and are not subject to throttling.
Then you have 2 options, all allowed IP addresses outside of that are considered a single source for invalid attempts and are all throttled or are done individually. You now how a very reduced ip pool that could come from a botnet.
This pool could then be reduce further, as we are talking about a cisco VPN / firewall here, and implement their IPS and block all known botnet IP addresses too.