For many years I have run a simple defense on my Linux systems: Fail to ban. Its very simple: source IP that attempt to login, after a fixed number of failures, are blocked for some time duration. The simplicity is high, but the effectiveness is off the chart.
Attackers have a (high but) limited number of IP to come from. If you have a user with a weak password, lets say it will only take 100K guesses, well at 1 guess per second they would have it in a day. But, if you block guesses for 15 minutes after 3 bad guesses in a row, now it will take them 1041 days, or about 3 years.
Is it a single perfect form of security? No. Its a valid part of your Defense In Depth strategy. It helps switch the cost from defending (you) to attacking (them).