"If you lock a user account because an attacker was trying to brute force it, then the attacker wins a denial-of-service attack against that user (as stated by OWASP)."
Current account blocking by IP still does leave an unlikely but open DoS with IP spoofing or CSRF on the login form.
Not sure if the core team will decide it's worth pursuing/investigating, but thought it was food for thought.