That would make it quite easy to maliciously lock someone out.

Instead locking accounts, appropriate throttling might be a better idea.

Throttling can still result in an effective DoS for the affected user, as they get stuck in the queue behind the brute force attempts. Throttling based on source address is not practical either given many brute force attempts use many hacked hosts as their sources to get around this very sort of limit.

Which is a big concern for internet accassable things. However if you password entry is a physical device it works great.