Those systems have been put into place to prevent brute force attacks, they aren’t everywhere.

Also, websites frequently store passwords, etc, in an encrypted database. This is supposed to stay private to their servers, but sometimes those databases get stolen. Once the database is stolen, it is just a file — the hackers have a copy on *their* computer, so they don’t put any rate-limits into *their* software, which they use to attack the database. This is where they can really go crazy with the brute-forcing.