Nice thread. After reading what has been posted so far, I would add:

The "user name" and "password" combination for access control is like requiring two keys to open the door (or more like, having to know where the door is in a dark room, and then having the key to open it). If someone is using a brute force attack on a specific user account, this means the attacker already has one of the keys (or knows how to find one of the doors), and the task of breaking in is nearly half-way solved.

As others have said, the appropriate action to be taken in this case depends on the potential damage to the system, the service, the service owners/maintainers, and the users. If the damage could be severe, then everyone with a legitimate interest at stake would view locking the account as a welcome intervention.

If protecting against break-ins is mostly for your benefit (as owner of the site, i.e. to protect your content) rather than for the benefit of the users (to protect stuff that they keep on your site), then locking out accounts because of brute-force attacks might be perceived by your customers as a good reason to stop paying you money (bad for you). So if you feel that your content needs significant protection, you might want to take a more measured approach -- e.g. block a specific client IP address after some small number of failed login attempts.