The brute-forceable admin happened around the time web2py and Django devs started having a few arguments online, like this one [1], which didn't exactly paint web2py in a good light.
[0] https://security-tracker.debian.org/tracker/source-package/w...
[1] https://www.quora.com/Is-web2py-a-good-Python-web-framework