I think the reality is that this style of attack is difficult enough that it would be something of a last resort, and probably only tried on high value targets. It'd take a long time (you'd probably need 100s of millions of requests) and could be easily noticed.
That said, while it's not instant game over, you don't really want this vulnerability if you can avoid it. Especially in things like authentication libraries.
That said, while it's not instant game over, you don't really want this vulnerability if you can avoid it. Especially in things like authentication libraries.