Most technology rewards people who own fast CPUs or are using stolen CPU time, so this statement doesn't mean much.

What actually matters is "does this significantly negatively impact those with slower processors" (no) and "is it still effective at punishing attackers" (yes).

Impact: I'll set my Hashcash challenge so that it takes about 8 seconds on a 10-year-old middle-of-the-line Intel processor. There, login time is about doubled for people running that extremely old hardware, and that's the worst case - and this is entirely acceptable given that most people do not log in to their accounts very often - they do so once and then stay logged in for weeks or months.

Effectiveness: Even for attackers using stolen CPU time - Hashcash is still effective. If you have malware on a low-power device, that device is going to be far slower at login attempts. If you have a user-facing device, they're much more likely to notice their computer being slow, and do something that might lead to discovery. If you've stolen compute on some cloud, then the IT folks are more likely to notice, and so on.

Rate limiting is good, but is complementary to proof-of-work - if you have a large pool of IPs/devices to log in from, for instance, rate limiting isn't very effective.