Even worse, it enables a new kind of malicious behavior: intentionally locking someone out of their own account/device.
A friendlier approach I've seen is to increase an enforced delay between password attempts, which disrupts an attacker's ability to brute force their way in without locking the account-holder out.