The flip side of this is: why does WordPress, out of the box, have so many basic security and performance problems? Surely simple brute force protection/rate limiting, two-factor auth, and page caching (or password-less login) are solved problems now?