The idea of a lockout only works of you’re trying to brute force the password through some system that you can be locked out of (like a login prompt on a website). In reality password brute forcing happens when somebody has a copy of the password hash.

This makes a lot more sense of you know what a password hash is and why they’re used. A “hash” in this context is a one way function that takes an input and outputs a fixed sized output (the output size is always the same, no matter the size of the input). The function being “one way” means that there is no good way to take an output and find out what the input was. The best you can do is try different inputs and see if the output matches. When you set a password on a website the backend database doesn’t (or at least shouldn’t) store your actual password, instead they hash your password and store that, the “password hash.” When you attempt to log in they hash the password that you typed in and then see if it matches the stored password hash. This way they can check if you typed in the right password but they don’t store anybody’s actual password. This means that people with access to the db (developers, administrators, etc) can’t look at people’s passwords and they can’t accidently leak passwords. But what they can do is leak the password hashes. The password hashes aren’t useful themselves (i.e. you can’t log in with the hash itself), but what they can do is hash a whole bunch of common passwords and see if any of the hashes match. This is what hackers are doing when they’re “brute forcing” the passwords.

This is also why it’s important to not use a common password. When hackers brute force passwords they have to feed potential passwords into the hash function and if they match the password hash, so naturally they start with the most common passwords.