4MB of secp256k1 signatures takes 10s to validate on my 5 year old
laptop (125,000 signatures, ignoring public keys and other things that
would consume space). That's much less than bad blocks that can be
constructed using other vulnerabilities.
If there were no sigops limits, I believe the worst case block could have closer to 1,000,000 CHECKSIG operations. Signature checks are cached so while repeating the sequence "2DUP CHECKSIGVERIFY" does create a lot of checksig operations, the cached values prevent a lot of work being done.
To defeat the cache one can repeat the sequence "2DUP CHECKSIG DROP CODESEPARATOR", which will create unique signature validation requests every 4 bytes.