>In my opinion, the per-source-address limits should NOT apply per-account, but rather should apply to authentication attempts globally
I think the opposite of this. Source limiting is like saying "you drove here via the A32? The last guy who did that was a thief so you're barred".
A lot of people share an IP address, especially on mobile connections or large institutions (nice way to lock out 1000 students at once, or everyone in an office because a few people took 3 attempts to remember which of their 2 or 3 passwords they used for your service), and this problem is only going to get worse - likely rapidly worse - as the address crunch squeezes in.