But isn't it more security by obscurity, as by limiting the activity time the time window for any trojan to spy the password is smaller.
Also if not enforcing this by default, I assume nobody will really take care of this option.
If the user / admin would know about the problem he would more than that make use of:
fail2ban against bruteforce on the server,
forced (or at least configured) ftps (!= sftp),
forced password policy (complexity)
forced password renewal (aging), optionally with time based deactivation.
To assist the admin, ISPConfig could alert on the ftp tab, if some of the above mentioned mitgation options are not in place.
Just as an additional idea on how to assist solving this issue.