Given the ability to effectively DDoS a server, I'd say it's indeed a threat.
Even in some validation libraries, you'll find some really poor evaluations. For example, doing input validation while typing on an email input field can get pretty nasty, pretty quickly in a couple of the validation frameworks I've used. It was faster/easier to use a simpler validation first, before the more broad validation... (splitting on '@', checking for 2 parts, length and verifying the parts separately), even limiting the length before/after the '@' in practical terms. Of course, this was only a client-side issue... but it's still an issue.