What about bad actors which swipe the phone, and it's behind the biometric lock? Too many failed attempts may or may not be a sign of it not working well, so if it bases part of it on the failed attempts, it would lower the chances of being further protected. I know they would ask for the pattern/pin or password to re-enroll the biometric, but let's assume that's already known, then game over.