PurePath failure rates across the board will depend on the error detection rules configured in the system profile settings. It is specified whether a given error will only be counted as an error (yellow PurePath icon) or fail the transaction completely - which goes into consideration for the failure rate incidents:
By default it looks like 4XX errors will be included in the failure rate only if they are at transaction entry. Any internal ones will just be counted as errors.
We faced issue where we observed high number of 401 errors due to some certificate issue. However the trend for the 4xx internal was okay but not for the 4xx Transaction entry. We were clueless why the alert "failure rate too high" was not triggered. For this we found the 401 was excluded. (Not sure if we did this setting in past, can you pl. confirm?). PFB below snapshot:
It does look like 401 is excluded by default, probably because the assumption is that it's a more 'normal' error but yes I know we saw an instance where a locked out account was a big deal.
There is a measure you can use as a filter in a BT called "HTTP 4xx Response on Transaction Entry" and if you do this it should only be including PurePaths where the entry point failed with a 4xx error.