Your bank account info is private by nature an icloud account is not. People will know your email.
Apple must maintain a balance between security and usability. If Apple were stupid enough to use a 5, 10 or even 20 attempt then cutoff system it would simply create a huge weakness for DOS attacks. Having a cool off period after multiple fails is the best strategy it makes brute force attacks useless as I could take years to get in. Alerting people after failed attempts is useless. Any webmaster knows that every possible point of entry will but subject to constant attemps. People would get these alerts all the time making them meaningless.
In the end it is all dependent on the user. The more sensitive what your protecting the stronger your passwords need to be.