Well OpenACS allows a certain amount of customization, i.e. you can tell it to demand e-mail verification, some simple stuff like that which hopefully works :)
It would probably be nice to be able to set a minimum password length, require at least one non-alphanum character, etc as an *option* but as you point out, many websites don't contain the treasures of Fort Knox and people don't necessarily want the system to nag them about good passwords etc.
The brute-force attack (which is also a potential DOS attack) is something we've ignored even though we're not really ignorant of it. It wouldn't be hard and not to difficult to add some configuration parameters allowing one to lock an account after N consecutive bad password attempts, or to lock an IP after N consecutive attempts to log in, etc.
For something as general as OpenACS, though, these all need to be configurable, not set in stone.