Sure, with the hashes you can break the passwords quickly, but that requires you first have the hashes. Now think about attacking over the web and brute forcing it. Let's assume their brain dead and allow you to try all day long. How fast can you try passwords? Remember, you have to consider not only your connection speed, but their speed and the rate their server can answer.
I recently tested hydra on a full duplex 100Mbit network with just two computers on it, one being an ssh server and the other the attacker. The best speed I could sustain was around 220 tries/min. Assuming a 6 character password, lowercase only (English), if an attacker tried for 30 days non-stop and knew the character set, and knew it was 6 characters long, their chance of guessing the password would be (6^26/220/60/24)*30/(6^26) = 0.01%
Keep in mind, out of some 30 odd real life attacks against an ssh server I've got data on, the fastest attack I've seen is about 150 tries/min and that attack lasted less than 4 minutes. Obviously, if you use a dictionary attack and a dictionary password, the chance of brute forcing it jumps dramatically. But the actual data I have shows most usernames are tried only 1-3 times (depending on the attack) before the attacker moves on to the next account.
But the fact remains, it's not web brute force attacks that need to be feared. It's a server compromise where the hashes are compromised that is to be feared. And with Amazon's GPU clusters available for rent, the best hash can be brute forced quickly and cheaply.
Hotmail's changes are like the TSA. Lots of noise, inconvenience, and expense, but little to no real security improvement.