Why log authentication attempts at all if all you're giving yourself to work with is a timestamp, IP address and response code? That doesn't give you any actionable information, unless you're only concerned with implementing IP bans after a number of failed attempts and you have no interest in incident response or remediation.
How is it useful or safe?
If a user types their password in the username field, it's really not that much different than accidentally disclosing it in any other field. They can (and do) accidentally paste it into a chat window or in the address bar (shows up in DNS logs) after grabbing it from their password manager. We can't do away with logging altogether just because users make mistakes that might disclose their password.
When I see passwords logged in the username field, I simply reach out to those users and tell them their password was disclosed and will begin propagating throughout systems and databases, so they need to change it immediately to avoid potential compromise. They made the mistake, so it's on them to fix it-- not for me to reconsider the merit of our logging infrastructure.
Are their other benefits to logging the username of a failed authentication attempt?
If you aren't logging usernames, how do you know if someone is enumerating all of the accounts in your AD, or just really heavily targeting one user?
Without usernames, how can you tell whether or not the attacker is randomly guessing at stock accounts (root, admin, etc) or whether they're targeting sensitive individuals (executives, R&D leads, etc)?
If you see a bunch of failures followed by one or more successes, it's safe to assume a user was compromised. Your boss is under fire and demands answers-- tell me which user(s) were compromised, now!
Take all of your logs and mask the username out from all of them. Pick one event and assume it's an indicator of compromise. Also assume you're in a messy corporate environment that's NATted to hell and obfuscates the IP address at every step. Now tell me how this actor might have moved laterally within your network, starting with that event.
Logging across systems is often incomplete, and enterprises generate a ton of simultaneous events so correlation of timestamps is not always an option. We log details, as many of them as feasible, for a reason-- but if you're not logging something as critical as usernames on failed authentication attempts (literally the record of who's causing trouble at your front door), you're blinding yourself for the benefit of your most incompetent users.