In the past, these protection measures didn’t exist. Meaning if I was trying to hack your e-mail, all I would have to do is know your login name (not particularly hard if I know your name and what company you work at – Oh your Jeff fakename and you work at FakenameIncorporated -> jFakename(atSymbol)fakenameinc.org). All I would have to do is setup a program that auto feeds your login name, and an ever changing password that starts by trying “a”, then “b”, then eventually “aa”, then eventually “aaa” etc etc etc and I will eventually get in. Most accounts didn’t have protections against this.

Eventually people wised up and realized that takes a long time, so let’s optimize the order that it tries things, let’s run through all the words in the dictionary first, because that will probably save a lot of time.

That’s the basics of a brute force attack.

Now, most places recommend using a complex password that’s not repeated anywhere because they have those protections that protect against people for trying literally every possible combination of words letters and symbols it could be. If they detect a set number of failed login attempts, they know to lock the account. But there’s always the chance that one of those entries just so happens to match your password on the first 5-10 tries before your account gets locked. So they tell you to use something unique and complex just so that slim chance can’t happen.

You specifically mention you get an e-mail, that’s another added layer of protection called two factor authentication (2FA) but that is largely moving on to a seperate, second password system (usually by sending a one time use code somewhere) or a phone call rather than e-mail nowadays. That came about as keyloggers as viruses became more and more common. Keyloggers basically are viruses/worms that infect a computer and just track all of the keystrokes that someone makes. Think of it as I’m standing behind you and looking at what you type in as you type in your password. 2FA helps to get around that, because now that is another system that the person would have had to infect in order to get into your account (hence why they are moving away from e-mail, because one keylogger on a computer can also get you that person’s e-mail login to verify yourself).

tl:dr – You are right, but that is exactly what those issues are there to do.