Since multiple users can be legitimately logged in from the same IP address, banning IP addresses for failed login attempts is also not a solution to bruteforcing. If theymos did that, then it would be trivial for an attacker to effectually ban Tor users from login to bitcointalk.org by deliberately making many bad login attempts from every exit node. Thus, I infer that theymos does not do this; and I assume the timeout you describe somehow works with cookies, or the like. Granted, I could be wrong there. It may simply be that nobody evil has thus far bothered to get Tor exits banned from attempted login
I guess you should also reread what I wrote
Since you jumped at my assumption of temporarily (note that) banning an IP address but you chose to completely ignore the fact that you can't log in again after a failed attempt for 60 seconds, if I'm not mistaken. I don't know how it is now with reCaptcha employed (since it takes longer than 60 seconds to pass anyway), but before it was introduced, you had to wait for some time if you entered incorrect credentials. At least, that's what I remember and that might not have had to do anything with your IP address at all, e.g. access to a specific account might have been restricted temporarily (but things might have changed since then, of course)
You incorrectly assume that a spammer must log in his sibyl accounts from the same IP address. Spammers often have many IP addresses; and indeed, it would be easy to do away with account farmers if they always logged their zillions of accounts in and out from the same IP address. Also, multiple accounts can be logged in from the same IP address. Either way, there is no reason for a spambot to ever log out
I'd rather say it is your incorrect assumption that spammers have multiple IP addresses (on the order of dozens, at least). Some of them have but certainly not the majority