I'm not suggesting booting the IP, merely deny another login attempt especially to another account... And/or SimpleMachines could add the time limit thing (ala Cpanel, etc)
Oops, I mis-typed my account name, now I can't login to my correct account for two hours! Real user friendly, there. (I have about three different user names across six forums, so the chances are medium I'd get denied based on your description.)
I'm also concerned that if SMF does not do something to thwart this, that regular, non-hacker people will just start trying to log into accounts (maybe at a rival forum, or enemies, etc) knowing full well that SMF is unable to stop this...
Look, fake login attempts are going to happen. It's an internet-wide issue. It pre-dates the Internet, even. Way back when, you'd get people doing
war dialing, the phone equivalent of finding a way into the system.
Your situation is rather silly. If someone starts trying to make some login attempts at a rival forum, it would be noticed by the admins if they checked their logs and that user would be banned fairly quickly. Direct attempts by a single person are easy to stop if you notice they are happening.
The situation here is much like the wide-spread SSH and FTP login attempts that have been going on for several years. You have a wide spread of IPs from infected end-user machines attempting logins. You can't easily ban all the IPs because of the collateral damage if you are not careful. You also can't do something like lock accounts after failed attempts because then you turn the attempts into a nice denial of service as your forum members find their accounts locked.
The only real solution that can be handled on the server's end is detecting and temporarily blocking the attempts. Tools like fail2ban were built for this exact scenario. Having a modification for SMF that behaves in a similar way would be worthwhile. Potentially, if these attacks turn into long-term things, integrating such functionality would be a good thing. However, it's not going to happen for 1.1, and 2.0 is too far along for such a large feature addition.
As for slow attacks, they aren't dangerous enough to concern oneself over unless you are allowing simple password complexity and users are using dictionary passwords.