Because you don’t brute force the live system directly. Attackers will have obtained a copy of the password database, and can attack it locally on their own system, where lockouts or other controls aren’t a factor.