Isn't that the whole point though? I mean, I would think that sometime between the start of the attack and one-hundred thousand years later a Facebook admin might realize there is an attack on this account and take appropriate measures. And a botnet will not matter, 5 attempts every 15 minutes is 5 attempts every 15 minutes. Sure, a lot of computers can come up with a lot of answers to the question 'what is the password for account XYZ,' but the computer asking the question will only allow 5 answers every 5 minutes. It doesn't matter if there are a billion guesses from a billion people... for 15 minutes there can be only 5.
Thus, it doesn't matter if it comes from the same computer every time over a period of 10E5 years, or a different computer every time. A modern computer is quite capable of making 5 guesses in 15 minutes, but a trillion computers can't make more than 5 guesses in 15 minutes under this scheme. The only thing that many computers could do would be a DDOS attack against the application gateway/server... and will also bring down service for everyone and not just the account being attacked. (I suppose that many machines could make 'better' guesses, but that is beyond the scope of this argument as even minimum entropy with ideal conditions would still be decades to brute force)
Heck, under this scheme, a single modern high performance CPU would be more than enough to try and attack all 300 million Facebook accounts with maximum efficiency it would still take an average of 10E5 years though (1.5billion guesses every 15 minutes is way less than the 3 billion guesses for a Westome@3GHZ using Base64 encoded SHA1 hashes, for example) And that number will only go up once chips have build in SHA instructions, but it still won't make the net effect any faster.
The lesson here - sanitize your SQL, keep the DB away from the web-server, and for God's sake make sure the application has a modicum of preventative circuit breakers and you will stop a majority of script kiddies.