Captchas operate client-side and a lot of these spam-bots will just circumvent it. Without some sort of server-side intervention (i.e.; Marketo's built-in protections) there will always be a way to get around client-side protections.
I used to have a lot of problems with these spam-bots, but since moving to all Marketo form on all of our web properties, it has pretty much dissapeared, thankfully.
What I put in place, and still have in place, is a SPAM Queue in SFDC. Certain IP ranges and certain keywords ("http://" in the Name, Company, or Title fields, for instance) will toss the Lead into the SPAM Queue. I just check it every now and then and mass delete the bad ones.
Always a game a whack-a-mole with these spammers, isn't it?