Re: Isn't that what makes their products so intuitive to use?
There's a lot that can be done to make brute-force attacks useless before locking an account. Wait timers are good and simple. A lousy one minute delay between attempts would completely kill a brute force attack, while it would be just an inconvenience to the user. So:
0- Enforce password complexity. Should be simple when you already know everything about your user: "No, you cannot use that password because it was the name of your 3rd grade teacher's pet gerbil"... ;)
1- Start with a one second wait and double it with every failure. Cap at 128 seconds or something, to keep things sane. Else you'll very quickly effectively lock the account.
2- Lock the account only when hundreds of attempts are made in a single day or some such.
The details will vary and some fine-tuning will definitely be required based on the type of data, users, actual usage experience and whatever other attack vectors might exist (brute force attacks vs. denial of service, for example), but you see the basics. Not complex.