[kevin_b_er]

They have to balance user attention and user friction. Online retailers want your purchase to be as smooth as possible. There's some studies on how someone won't spend much time on a website if it loads slow. The same can apply to purchase decisions. They need it as impulsive as possible. So annoying things like 2 factor authentication, in their mind, might make a customer give up their purchase.

So things are insecure because that's what customers want to satisfy their relatively low attention spans and impatience. And the retailers optimize for that.

[JustSomeNobody]

Makes sense, nobody like slow pages. However, don't most people have the browser save their password? So couldn't the online retailer have some sort of exponential delay (to a limit) after so many failed attempts? Surely that would affect few real customers.

[wild_preference]

What is being delayed? Just an IP address or the entire account? Neither really work.