The problem comes in the lack of a viable alternative. Google's captcha sucks for several reasons, but it's one of the few captchas on the market that offer a good anti-bot solution for free.
I'm sure that theymos would be happy to implement an another provider if one was provided; I can't imagine he too much likes Google monitoring the site.
I know. Rather like theymos admitting defeat when moving behind Cloudflare. He must keep the site running against the earnest ill-wishes of Internet arsonists; and in case it was not sufficiently clear, I do fully understand the difficulty of his position here.
Yet current lack of a better solution does not change the cold, hard fact that this is locking out legitimate usersand worse, causing some to fire the footgun of mixed Tor/non-Tor use. That needs to be faced, and somehow handled. If I were to write a succinct n00b-level warning on the Tor/non-Tor problem, would mods sticky it? At least, that would be a start.
For suggesting an altogether better solution, it would be helpful to know whether the principal purpose of the login CAPTCHA is 1. preventing bruteforce of luser passwords, or 2. locking out spambots which make automated posts. I suspect (1), and thats less difficult to address:
It does not actually require distinguishing bots from squishy wetware. More secure alternative means of login would sufficeno, Im not thinking 2FA (which I hate), but rather, public keys. (2) does require distinguishing bots, which definitionally requires a Turing test. Ouch.