Ocean, your examples by Microsoft are .NET so they don't apply. Does not apply to classic asp, which is what is primarily attacked.
incrediBill, the code they send is ENCODED, so you can't check what it is, it looks like a hex string, nothing more. So it isn't that easy as it seems, we've had a licensed software package running that was hit and broken into like that few years back, had to tighten things on the database end as well.
You can program your way out of a wet bag, but can't have all possible UI leaks detected, there's way too many points of entry, and for any small company it is commonly cost prohibitive.
Tell that to Microsoft, BTW, who with their Windows OS up until release 2008 still can't figure out blocking of the brute force login attack, I'm sure they'll like you comparing their codes to wet baggers :)