"If you're going to configure Account Lockout policies in a real-world environment, set the Account Lockout Threshold policy to something high like 50 or 100 invalid logon attempts." - (via ITreader.net)

I couldn't agree more. I've dealt with many an overzealous IT administrator who thinks anything higher than 3 is a security risk. This is just incorrect when you look at real world attacks and more importantly is poor policy from a users perspective.