Because everyone writes absolutely perfect code, no one ever loses anything, and there are no exploits out there.
No, because there is a difference between looking for the perfect castle and realizing that maybe having a wall isn't so stupid and closing the door and night isn't a bad idea, either.
Making brute force attacks difficult is not a question of perfect code. It's a question of not allowing unlimited tries at unlimited speed (online) or not storing unsalted password hashes (offline). It's not a matter of protecting your server from compromise. A serious defense strategy always includes the assumption that several layers of your protection fail and you should still not suffer a total defeat.
you'd better hope they're salted with a strong salt, per-user, and hashed with a function like bcrypt or PBKDF2.
You see, this is the point. Whether or not they are is not a matter of hope like rain and sunshine. It's something you actively control.
There aren't any magical solutions.
No, but there are good and stupid solutions, and it's time we stop using the stupid ones. It's a feature of this anarchy we love so much, because if software was a car... well, at least in the western world you can't legally sell a car without brakes anymore.