If this kind of system were to include actual failed password attempts on the system. It would be fair to take the 3rd standard deviation above the mean, but on a system that never gets its passwords tested, it is unreasonable to assume that all passwords are under a maximal attack all the time.
Also, what's wrong with "pacing" password attempts - exponential increase of time delay between failed attempts up to maybe 30 minutes. It will take a very long time to guess test1234%^ at 30 minutes per guess.