Company X has username/password authentication to log into their corporate domain. After three successive incorrect login attempts the account is locked.
Company X maintains a web-based password station where users can go to unlock your own account. There are 5 questions which you must provide the correct response to in order to unlock your account.
Assuming 8 characters for each username/password/security question response (7 fields) and only only 26 letters and 10 numbers for the characters in each field, yields an approximate probability of 1/(36**56):
.0000000000000000000000000000000000000000000000
0000000000000000000000000000000000000001
that a random attacker could ever log into the system given unlimited successive failures. This calculation does not even include the randomness of the URL involved for the corporate domain or the password station.
Obviously, the geniuses who came up with this security model were of the political rather than the mathematical persuasion.