What, if anything, are you doing to block people from brute-forcing passwords to the admin accounts of your VMS? Users that log in through a domain controller can be protected by controls on the domain controller itself. Users that use "Basic Authentication" are at the mercy of the VMS.
I know that Ocularis has nothing to stop somebody from brute-forcing the password over the course of a few months. In fact, I discovered this issue after stumbling across 272 failed sign-in attempts (over the course of 30 seconds!) that happened the previous month when a customer's IT department ran a vulnerability test. If the installation is connected to the Internet and you aren't watching the logs, a hacker could take all the time they needed to brute force a password and you'd never know about it.
From what I can tell Milestone doesn't have anything built in either, but somebody else may have better information.
For Ocularis, my initial thought was to set up something like fail2ban to read the logs and temporarily block IP addresses. Only problem is that the logs for Ocularis Base go straight into SQL Server, specifically the VSAudits database. That makes it real easy to query in Ocularis Administrator, but there's no good way to monitor them without setting up a potentially costly insert trigger or giving the bad guys a head start by polling on a schedule.
What is everybody else doing? Are you using fail2ban or some other IPS? Does your VMS have built in protections? Do you just hope all your users are using strong passwords?