Because otherwise you (or someone else) will be able to DDoS them.

Think of it like this: website A has an average user base of 10 users and can easily handle 20 requests simultaneously. So the server doesn’t usually have any trouble providing data to the clients under normal circumstances.

But there is one flaw – no one provided DDoS protection to the server. So let’s say one bad guy whose name is Gary is going to ruin everybody’s fun by Denial of Service (DoS). But since 11 requests from 11 users (clients+Gary) is well within the operational limits, he chooses to use Distributed Denial of Service (hence DDoS) tactic by attacking the server via let’s say 100 bots. These bots send requests to the server which can only handle 20 at once, “overloading” it with them. Since the server already struggles with these bots’ request, my or your request won’t get response – hence we are denied of service