Do you think that simply because you omitted that common attack vector that it's magically not going to happen?
Rate limiting, et al, has a singular primary purpose: to make things hard enough that an attacker doesn't get the password hash. Anything else is pure gravy.
Once the attacker has the password hash, the next defense is a strong password. And that's where we need to focus the entire debate about passwords vs passphrases vs biometrics vs telepathy. Assume the attacker has your password hash. This worst-case scenario is reality all too often. Yes, throttle password attempts and all that, but if your server has Sarah Palin or Barack Obama on it, assume that someone, somewhere, will deploy sufficient resources to getting that password hash through some zero-day vulnerability. (If your site is just discussing hooch for local rednecks in Bumfuk, Virginia, then the passwords are likely safe, regardless of how insecure the system is.)