Just reading this topic, and as I see it:
1) Yes, visual CAPTCHAs have got very annoying. I've often failed ReCAPTCHA and had to do it twice or more (after which point I give up) but the bots get through it easily because it has been broken. So I've been booted off but never mind: a spambot has taken my place
2) Visual CAPTCHAs exclude visually-impaired folk.
3) There is no point in using two CAPTCHAs at the same time, especially if you know one has been broken as the bot will get through that one easily. If the other one stops it, then that's all what is needed.
4) Uniqueness is the key. The developers of spambots maintain a database of questions and answers, so all they have to do is add the questions and answers to their database, and the end users can use it. Once your Q&A has been broken, your board is wide open to attack. Ask yourself: Will your question hold until you can change it again, and will you be able to change it frequently enough to maintain its effectiveness?
A single good question will only be effective until its added to the database. For example, one question I had was this:
How many horizons does Moya Brennan refer to in her album of that title?
Any Moya Brennan fan will know the answer, and others can always ask a friend
- but once the answer is known and added to the spambot's database, the question is immediately rendered useless, not only for me but also for anyone else who considers it a good question and is not aware that it has already been broken
I once developed a CAPTCHA for phpBB2 which obviously died when phpBB2 was desupported. As far as I know, it was accessible too. I never released it here, and in fact was strongly advised not to. It was operational at a small handful of forums. It stopped spambots dead. The key is that because it was only used in a few places, it was not cost-effective to break it, but had it been deployed at hundreds of forums, then it would have been.
That's the bottom line - does it cost more for spammers to break a CAPTCHA than it does not to? If your forum has a unique enough system, then the answer is YES and it will remain unbroken. As more forums use that same system, the answer tends towards NO and chances are, it will be broken at some point.
Basically, a system that hits spammers where it really hurts - in the wallet - is what is needed, and to do so at minimal cost to legitimate end users.