That's absolutely overzealous and usually gets fixed in a day or two.
The worst I've seen was someone blocking entire IP ranges due to fraudulent activity. Once their overall sales started declining, they realized they managed to ban entire university campuses because one fraudsters decided to use the dorm wifi for carding
Plenty of businesses are happy to block 20% of real customers to decrease fraud rates by 80%.
Especially low margin businesses, where you might have revenue of $20 in a transaction, but a profit margin of just $0.20, fraud is really painful if you lose the complete $19.80. You're happy to turn away a lot of custom to avoid some fraud.
Classic example: Bank loans. They might only earn 1% of the principle, so a fraudster who runs away with the whole principle has to be really rare.
Worse is how it's completely asymmetric. For example micro-donation based services such as charities are flooded with fraud because they are a prime avenue for card testing.
It's also a volume question. If you have low margins but high volumes, you might run a very sophisticated anti-fraud setup to walk the razor thin line around compliant chargeback and refund rates.
From the consumer POV of course it's all the same and annoying at that. But the plumbing behind the system has some insane blunt tools, some programs held together by excel-sheets and duct tape while others are super complex with blackbox rulesets.
The worst I've seen was someone blocking entire IP ranges due to fraudulent activity. Once their overall sales started declining, they realized they managed to ban entire university campuses because one fraudsters decided to use the dorm wifi for carding