This is rather interesting but the RPC server should not ordinarily be exposed outside of a trusted network. Certainly not with an unencrypted wallet.
This was one of the main reasons behind me creating my terminal based frontend.
The approach should be to connect using a secure tunnel like SSH and interface with the Bitcoin Core daemon from there.

Ignoring that, I would take issue with the claim that it would take around an hour to brute force the password if on same network.
I can't say I've tried but you are claiming that you can get off over a million authentication attempts per second over a network. (4294967296/3600).
Just sending a ten byte auth request would make that 10MB/s sustained.

The RPC server is not especially fast. I have not tested but it would not surprise me if you struggled to get a few hundred auth attempts per second on a local machine. That would put you at over a month. If anyone has the time it would be interesting to see how quickly you can fail auth and try again.

I don't wish to speak for the core developers here but I would not be surprised if there are numerous vulnerabilities in the RPC server - it is likely not intended to be used with unsanitised input.