Hi @jshewfelt,
Thank you for reaching out to us!
At this moment there is no option of counting or setting a limit to the number of incorrect OTP attempts within Forms and you are correct that 10 is a hard limit, after which a new OTP needs to be generated. This is in line with the current Rate Limits, you can find more details on our Knowledge Article.
If you would want, you could you create a Feedback request asking to implement the possibility of a count or limit of the incorrect OTP attempts.
The feedback request includes a voting system where feedback requests with higher votes have higher implementation priority.
Have a great one!
Gerald