It's true that attacks other than brute force might be mislabelled brute force, or that the author is talking about brute-forcing against a hashed password hypothetically stolen from Google (you'd very much hope they'd disclose if that happened and force password changes).
However, taking the claim at face value, is it true that:
For reasons too complex to explain here, even some systems, like
Gmail’s, that don’t allow intruders to make millions of random guesses
at a password can still be vulnerable to brute-force attacks.
The answer is a weak yes, they can be, but it's not an especially fruitful line of attack. It's to do with how "don’t allow intruders to make millions of random guesses" is actually implemented.
Google will (I assume) block you if you make too many failed login attempts from a single IP address. But will it lock an account if too many failed login attempts are made on it? ATMs do that, they eat your card if you get the PIN wrong three times. But in order to even make the attempt you have to have the card itself, so the only people who can do this are you or someone who took your card[*].
If Google were to lock your account after three failed login attempts from anywhere in the world, then there would be a trivial (albeit not typically devastating) DoS attack someone could make against Google accounts: just deliberately make a lot of failed login attempts. Anyone who knows your account name can do this, there's no physical token as a second factor. Thousands or millions of people need to go through the rigamarole and inconvenience of unlocking their account using a phone number or backup email address, or perhaps they lose their accounts entirely due to having no up-to-date second factor registered. This hasn't happened, so it can't be all that easy to get Google to lock someone's account.
I don't know what Google actually does about locking accounts that appear to be under attack, but it's certainly plausible that a system like GMail might tolerate quite a lot of nonsense before locking the account.
So, get yourself a botnet of a few million IP addresses, and you can make a relatively slow brute-force attack if you really want to. The more accounts you have to simultaneously work on, the less attempts you make on each account and the less likely each account is to get locked. Just don't make too many attempts per day from each IP address.
As to whether it's plausible that really happened to the author's wife, I doubt it. It's not a great use of a world-class botnet. But for a fairly weak password, two common English words followed by (let's say) a three-digit number, it's certainly possible that a massively distributed brute-force attack could find it, if someone chose to apply one. But this password is not in the "top thousand most common" that an attacker would run first against each account, before even starting on "two English words and three digits". It's far from the lowest-hanging fruit. So in that sense systems like this can still be vulnerable to a live brute force, but it's not a thing that really happens AFAIK. At any rate, I think it's worth the author sounding a note of caution that relying on a password of this form not to be brute-forced would be complacent, but FUD together with "this margin is too small to contain the proof" isn't ideal ;-)
Furthermore, Google doesn't actually let you log in from an arbitrary IP address any more: neither my hypothetical botnet nor the lads from Lagos described in the article, should be able to log in even if they have the password. Believe me, I've been bitten by this in the past trying to legitimately access Google's various APIs using my own account from virtual servers scattered about the place, never mind what would happen if I tried to use other people's accounts. So even given the risk of password guessing, Google does its best to have a further level of security.
[*] Or someone who cloned your card, if you live in one of those third-world type places that don't have Chip and Pin yet. But if you've cloned someone's credit card in those places, there's way more entertaining things you can do with it than mischievously get it blocked.