I think each WordPress site owner should find a way to protect their own login portals, whether it be htaccess based for those that have it, or plug-in based for those who don't.
I personally, have /wp-admin inaccessible by anyone other than my own IP. I leave my wp-login.php file open to the public though, but I could lock that out as well via htaccess to only my IP, which I do for some of my clients.
The reason I lock /wp-admin/ but leave the wp-login.php file open, is I also have another plug-in I wrote to keep track of people trying to brute force their way into my site, something I think WordPress should consider making part of its core, that if a login attempt was posted against the login page, an email is sent to the admin with the username they tried.
If like me, you don't have a user called Admin, but get 30 emails in a row with someone trying that to login with Admin, well, you are getting attacked, and should ban that users IP. Thats the whole reason I wrote the plug-in, but you could also add it to your functions.php file, and incorporate it into your themes you build for clients as a native feature.
I just wish WordPress had some built in alert system, or even a 3 strike rule that then emails a site owner when someone tried too many times and failed, so we can investigate potential attacks. Not trying to hijack this thread or go off topic, but check out my login alerts plug-in to see what I mean. It emails me the username and IP address of any user attempting to login. I think its an invaluable tool for WordPress site admins, and for those who don't have htaccess setups, so long as your server can send mail via PHP, this solution might help you. IIS servers sometimes need more configuring to setup the mail side to work with PHP, but thats something your webhost should be able to enable or fix for you, but either way, a login alert to potential brute force attacks should be a consideration for a core feature to WordPress. I know Security is a key focus for WordPress developers, but this should be something built in natively to the core. Just my 2 cents.