Why don’t wordpress fix the bruteforce issue with wp-login.php by making its name dynamic and setup using wp-config.php?

I know there are numerous ways to harden wp against bruteforce attacks, however having a file with standard name makes it vulnerable and bots still attempt on it.

Is WP seriously thinking about this issue? What is the expected pathway?

Also same for xmlrpc.php