The problem with delayed response after incorrect login,
is that it converts the security routine into a denial-of-service tool, which is another bad thing. An attacker can make the service unusable for legitimate users, and maybe persuade the network owner to reset the device to factory defaults, including default password.
I'd guess that someone originally intended to have only 4-digit PINs, someone else said "That's insecure, add some more digits", so they added some more digits in effectively the form of a second 4-digit PIN after you had got the first one right.
Register
The problem with delayed response after incorrect login,
is that it converts the security routine into a denial-of-service tool, which is another bad thing. An attacker can make the service unusable for legitimate users, and maybe persuade the network owner to reset the device to factory defaults, including default password.
I'd guess that someone originally intended to have only 4-digit PINs, someone else said "That's insecure, add some more digits", so they added some more digits in effectively the form of a second 4-digit PIN after you had got the first one right.