But you'd be surprised at how many spammers still got past them. I've heard that in Asia there are big factory type installations where human beings actually are paid to sit and enter Captcha codes so that spammy stuff can get through. There is only so much that we can do.
That's true, but it puts off all the bots and script-kiddies looking for low-hanging fruit and raises their costs enough to hopefully prevent you being a target and move on to the next guy's server.
I actually have a more robust membership system that I'll plug into this site at some point which combines better protection with an nicer user experience as well. Instead of just always showing CAPTCHA (which sometimes are a PITA to get right!) it only shows it after a certain number of failed attempts and each attempt responds more and more slowly so even with a possibly compromised CAPTCHA system the number of attempts that people can make are limited which is enough to thwart them (and helps identify attacks to auto-block or ignore IPs). They think they are making attemps but each is just getting a fake response.
Of course, it also lets people avoid local username / passwords altogether and use Googel or Facebook for authentication, effectively outsourcing account protection and the fight against bots to 'the big buys' who have more resources to handle them.
Another option (more for banks / techy sites) is to use 2-factor authentication where "something you know" (your password) isn't enough ... to sign in you also need "something you have" which is usually a fob or phone app to generate a pass code. This provides a unique time-sensitive rolling number which makes things pretty damn secure - even if someone knows your password they cannot login as you !