I can only fathom these shops, both management and the webdevs, have no idea how unprofessional their site looks to anyone that isn't using a vanilla ISP connection. And my experience is coming from using a single longstanding VPS address, not even a shared VPN.
A sensible scheme would allow a certain rate of login attempts per any IP before hassling a user, but Google is obviously more interested in getting their training data than making sure you don't lose customers!