To put this in perspective: The cost of calculating a 10k character hash is negligible compared to serving a modestly sized image.
Still, you have a point that allowing arbitrary sized passwords to denial-of-service attacks. Still, a more reasonable limit would be 100 or 256, for example.
If that were the case, would the limits be so small? I mean, it's usually like "less than 16 characters" or something. The extra CPU time to raise that limit to, like, 128 or something would be totally insignificant (especially if they're using a key-derivation function after the hash, as they should be).
Still, you have a point that allowing arbitrary sized passwords to denial-of-service attacks. Still, a more reasonable limit would be 100 or 256, for example.