That's only because they're using weak authentication. If they required users to use something like WebAuthn, the bot problems would be significantly easier to deal with.
How come? Last I checked there was a devtool to create virtual authenticators. Unless there’s a way for wikipedia to permit only certain vendors like Yubico, akin to browsers trusting certain CAs, I don’t see how one couldn’t make a bot register thousands of accounts with virtual authenticators.
True, but that would significantly increase the barrier for contributions, especially at the long tail. As always, it's a trade-off, not a black-or-white situation.