This "protection" is just a lousy compromise to slightly alleviate an enormous design fault. Namely, that Apple allows the iCloud password to be reset using the PIN of the device. This is absolutely stupid. The protection of the device and that of the iCloud account should be two completely different things. Losing the PIN should only cause you to lose the device, not the whole account. All the iCloud security settings, password, hardware keys, you name them, are totally worthless if they can be bypassed by saying "I forgot my password" and having it reset by merely providing the iPhone's PIN. This is the basic issue, which people have been complaining about for years.
Instead of fixing this incredibly major bug, they've implemented a convoluted workaround to slow down the attacker in case of theft, but at the expense of annoying and hindering you the rest of the time. Disappointing to say the least.