I don't fault them at all! Oh gosh no, it's WAY bigger than that.
Let me explain:
1) XMLRPC lets apps talk to WP without being IN WordPress. The WP iphone app uses it.
2) Hackers like to use this too, so they try to DDoS your site by hammering that.
3) We block multiple repeated connections from one IP in too short a time span because of #2. To do that, we use ModSecurity.
4) Some apps using XMLRPC are more chatty than others, and cause more traffic because of it. image uploads are almost always the big offender just because of how they have to work.
5) You get a 503
So there are a couple fixes here. Turn off ModSecurity is one, and it's not a good one because it means we can't stop the ddos attacks on you anymore! So if some botnet targets your wp-login.php file, you're going to crash Another fix is for them to be 'less chatty' which is not easy. A third would be for WP to use a better protocol (which actually is being worked on as the JSON API). Finally we have a middle of the road one we're working on, where we work WITH the apps to try and find a way to safely whitelist the specific app in a way that will still protect you.
Hence please do ask them to ping me so I can work with them to see if we can do that last one We don't like whitelisting all the time, since it can be faked and abused, but it's better than a 503 and better than turning off ModSec.