On log in forms / auth schemes though things like CAPTCHA can be implemented, 2FA, or risk based auth etc. While nothing is perfect, these can help limit scope of mass password guessing and account locking - especially if it's combined with active monitoring.
Even on web services that authenticate users, at least for us, things like authenticating the client app in addition to the user credential provides that layer of protection. This prevents any random person from being able to use the service and mitigates the risk. Obviously Microsoft would have to support that capability here to do like mutual TLS auth + passing user creds.
If I expose just an STS with password only (that does nothing but try the bind to the directory), then it's wide open to allow someone to slow password guess or denial of service account locking.
It comes down to what, if any, mitigations can be put in place on the STS to prevent things like that. IP filtering (not super viable given Microsoft's dynamic nature on these)? Risk-based auth? Authenticate the client app? Or does it just have to be a documented accepted risk?