It is appalling
.. that WordPress will still, in 2020, allow attackers as many attempts to bruteforce your login details as they like, as fast as they like and do absolutely nothing to detect or stop this unless you install a plugin or similar. Which they KNOW that most users don't.
They also make it easier for attackers to do this by providing an interface that can be - and they KNOW is - abused to try a 100+ username / password combos at once. Again, attackers can do this as fast as they like and for as long as they like.
Instead, Automattic are far more concerned with forcing the pile of steaming bloatware that is Gutenberg on its users, complete with its own set of security holes.