It's generated client side so more advanced users can still pick their own :-)
Yup, that's by design. But even still the server does do some basic sanity checking. e.g. You can't pick 'password' as your password.
I was thinking about that, but the primary problem is that it looks easy to remember. For instance the password I got: "wolf curve arrow wing", which looks easy enough to remember, so I'm probably not going to write it down. But unless I use it every day, it's something that I will forgot.
Edit:
You can even get by on just 3 words (33bits) since this will be 8.5 billion combinations. Cost to solve 1000 google reCAPTCHAs ~ $0.80 cents. And no one has $6 million USD in their bustabit account to be targeted.
The long term goal is to actually remove the recaptcha (although still have a sort of fail2ban) completely =)