Assuming a web page, does the page reload in less than 1 second?

On a full sized keyboard, the normal rate is 3.3 key presses per second. On a mobile device, I'm sure an 8 character password will take far more than 1 second.

For brute force attack defense, rate limiting a single account globally to 1/sec, i.e. independent of source IP address, should be sufficient and prevent parallel attacks by bots, but this still makes DOS attacks on a particular account easy, but not the entire system except traditional overload.

Many API systems work this way and it's proven effective.

So, why not always lock the page for 1 second post failure, rather than try to capture a 3rd strike policy?

The login page probably can't be loaded in 1 second ^^