You say that, but most of the time when somebody gets hacked it's operator error and not a programming issue (i.e. the account was given to the person via social engineering not by the person defeating the authentication system).
I'm sure the people at the pentagon are aware of it as an attack vector and I am also fairly sure their mitigation plan isn't "just make it really shitty and slow lmao"