Brute force prevention - as has been pointed out above by everyone else - is necessary. However, like all security measures, it has to be applied in the right amount.

For instance, my work has policies on the Windows Active Directory logins. There is a maximum of three failed attempts in an hour. Additionally, password must be changed every 90 days, and there are fairly tight restrictions on what passwords can be.

This might seem reasonable, but when you add in the fact that many applications in the company use Active Directory as their authentication system, you see that users can easily legitimately enter their password incorrectly more than three times in an hour, locking out their accounts. A policy closer to 20 (or even 50) attempts in an hour would seem much more reasonable to me - it would almost eliminate the number of locked out accounts, while not really making it easier to brute force.

If your security is over zealous, it will cause legetimate users to find ways to circumvent it - just so they can get some work done. If this happens, you know your security measures are failing.