Many SSL attacks seem to require thousands or millions of interactive sessions or inputs. Is there a reason we aren't modifying our Internet-facing servers to drop connections and discard ephemeral keys when a particular IP or set of IPs performs actions that are outside the norm?
Well I think the crypto nerds would like to design crypto systems that are inherently (i.e. mathematically) resistant to such attacks.
But in general, I think you are right. I am astounded at how few networked applications perform rate limiting. Wordpress, for example, does not ship with any rate limiting on the login form. Brute force? Go ahead, give it a shot.
By comparison, Drupal 7 out of the box limits any IP to a small number of quick login attempts before blocking that IP temporarily.
If your application is intended for human interaction, it just makes sense to limit things to human speed. Maybe it's harder than I think it is, or maybe people just don't think of it.
It's a tradeoff (like so much in security): limit an IP to N number of quick login attempts, and it's easy for your students to DOS the Drupal-powered school portal (assuming the school is behind a NAT, at least). Often you want more security, and less convenience ... but it's not as easy as "most secure all the time!".
