I wouldn't go so far as to say that "Invalid login" fails
to buy
any security - it prevents users from
trivially determining whether a username is valid or not,
thus significantly increasing the search space for a
brute-force attack. Not a silver bullet by any means (not
even a very shiny one, really), but still enough to be
significant in many cases.
(Yeah, escalating delays are good, too, but a little
trickier to implement in an environment, such as CGI, where
you can't reliably maintain state.)