> A system shouldn't allow 1000 login attempts to the same account per second.
Cracking passwords generally isn't done by attempting to login, but by hacking into the database, obtaining the password hashes and then running a password cracker on them offline (using a dictionary, rainbow tables and whatnot). Cracking passwords like 1-2-3-4 is almost trivial in this case. "Difficult" passwords are a lot harder to crack this way.
So if you use 1-2-3-4 as a password on several sites, and only one of those sites gets compromised by a hack, your password for all the other sites get exposed.