Hi Bart, the interval is managed by Mendix, if it is not in, file a feature request.
BTW: brute force attack with 30/min*60*24=43200 attacks a day and a password with length 10 and 72 options per position (26 lowercase, 26 uppercase, 10 digits, 10 special chars) . Has 72^10 possibilities that will take 2.4x10^12 years to test all. Half of that time is the average time to find it. Quite sufficient.
Brute force is not likely, but I do want to play devil's advocate a little bit. IF the malicious party knows about the length or complexity constraints of the password, it makes a little easier to guess. Also, if the party knows anything about you (birthday, middle name, etc.), it also would affect the time needed to guess a password. This is usually the case when it comes to brute force.
Social engineering is one of the most prevalent ways now to get information from users. This is how most people get your information that you might use to create a password (Facebook, Twitter, etc.).
BTW, I think the CAPTCHA module has security issues (see the reviews in the App Store).
You could also think of implementing a SiteKey for mutual authentication, in the case you are worried about phising/pharming.