[brey]

You could use that argument to say 4-digit bank card PINs are really bad security - and you'd be right, except that they're always locked out after N attempts.

Why not the same approach here? if you try to brute force a password reset, you lock out further attempts for a few minutes.

[krallja]

You can then use this lockout for a denial of service attack.

[brey]

oh no ... I am unable to change my (perfectly secure) password for ten minutes because an attacker is attempting to brute force my password reset. I'd regard that as a feature, not a bug.

you don't need to lock out the entire account.