wp-login.php is still there and can still be accessed. However, the bona fide user is never directed to that page, only to the 'in-theme' login page. If someone goes directly to wp-login.php then they will have to go through the extra security layer.
In that respect it's not 100%, but at least your site never directs the user to wp-login.php.
Right now, I'm working from an ip address that has never been used to log in. When I try to go directly to wp-login.php, I see the extra security layer. Then if I use the login link on my web page, it goes straight to the login dialog.