The problem is the whack-a-mole game with hackers and script kiddies. It used to be the case that banning known colo ASNs was enough to get rid of nuisance by STROs, then there was a flood of hacked routers being used for DDoS that was really annoying to get rid of, and then came "residential IP" VPNs and commercial VPNs, both of which get routinely abused by AI scrapers and frankly, the AI scrapers are a worse enemy than the skiddies of 10 years ago. They ruin everything.

And you as a site operator can't really tell apart skiddies, griefers, AI scrapers and legitimate users apart any more.

They're using a VPN.

I've never seen anyone using a VPN for anything other than disruptive behaviour. I had to block vast swathes of mobile broadband providers in a certain warlike Middle Eastern country because if I didn't I'd have anywhere from 100 to 1000 new users every single morning who'd all posted hate speech that won't post here for fear of triggering the right-wing apologists.

Now they just do that over VPNs, which makes keeping them out all the more difficult.