That could potentially cause them problems, yeah, if you were able to do that endlessly. In practice most companies will have some kind of rate limiting in place around features like that (by IP, cookie, captcha, etc.)
IP and cookie-based rate-limiting are trivially bypassed. In fact, any kind of rate-limiting is ineffective here, especially for smaller organisations, because you only need to generate a small fraction of the traffic they normally send out. If they separate transactional mail from other types of mail (something that is frequently recommended), then how many illegitimate password reset emails do you think an attacker needs to trigger to get to, say, a 5% failure rate? Smaller organisations don’t send out an awful lot of transactional email.
True, but modern CAPTCHA rate limiting is not easily bypassed, and a lot of the solutions are free.
Together with cookies, you can show the captcha only to visitors that are not already recognized in some way, giving them a limited number of actions before showing the captcha. And regardless of whether you want one on your password reset page, you almost certainly want one on your login page anyway.