The savings from that approach seem negligible. You still have to design the system to handle the worst case, which is a script just short enough to get past the filter. A malicious attacker would design the script to use the maximum amount of time without triggering the filter, so you have the cost of the script plus the cost of checking its complexity. The only case where you would save anything would be where someone accidentally created a script which requires too much time or memory, which should be rare (akin to creating malformed scripts which fail on valid input for other reasons).