It's not the VPN itself, it's the IP address that you end up using when you use a public VPN. Your risk profile is effectively the same as everyone else using that same node on that public VPN. Log into your corporate VPN it's a different story. Or a VPN you run yourself.

By choosing to use the public VPN service you've effectively chosen to walk into some downtrodden bar in a dodgy district somewhere, and although you might have innocently assumed it was an ok place to go for a drink, there's a bunch of people in there just watching their geo-ringfenced Netflix content in the snugs, but at the bar you're actually rubbing shoulders with some of the local criminal lowlife. The police walk in and start asking questions of everyone at the bar, they want to know why you're there and what you're up to associating with the others at the bar, and they're likely to be agresssive with their questioning. They might send you down the station for more questions (2FA challenge), or they eject you out for your own safety for drinking the wrong place and suggest you drink elsewhere in future (Cloudflare 1020 error).

But if you used your native IP address ir a private/corp VPN your reptuation would likely not be besmirched with other internet lowlife who think their VPN is going to protect them. By using your native IP address you're now drinking the bar of your multi-star hotel of a reputable brand where you have status and can earn some points and stuff that FT members care about. The chance that police are going to walk in is already low, and even if they do they would likely be polite and apologise for inconvenicing you.

You're right to question whether the login process of the forum could do more to provide protection, but InternetBrands are using some off the shelf forum software albeit with some customisation. The capabilities of the login authentication is fairly basic as it is for most forums. It doesn't appear to do 2FA, or if it does it will cost more that will have a detrimental impact on the economics of the service. So although I agree it would be good to do more with analysis of the login cookies I guess they are pretty much stuck with what the underlying software provides unless they develop something themselves at considerable cost and ongoing cost to maintain, or they wait for the bulletin board software provider to develop something better or plugins into the big boys (Google, Microsoft, Facebook, Twitter, etc) to reuse an identity you already have. There may be upgrades available that they haven’t implemented, but I don’t have any insight here.