1. This common assumption simply does not make sense to me. An account farmer could easily use human labour (self or others) to log bots into a large numbers of accounts with “stay logged in” checked, then let them stay logged in to make unlimited spam/nonsense/copypaste posts. It would be trivial; all the bots would need to do is to keep their cookies. I know this because I myself now stay logged in, on a credential apparently set to expire in the year 2023. I have not filled out the CAPTCHA since 10 December. Whereas a password bruteforcer would indeed be stymied by the CAPTCHA. A bruteforcer would also be slowed down by a POW. A spambot could complete the POW once, then stay logged in for years or until permabanned.
I think you should reconsider your opinion
As to me, it doesn't make a lot of sense to use just one spam bot (account) when you can use hundreds or even thousands of them, and this is where captcha kicks in. Without it a spam bot could constantly log in and off using different accounts from the same IP address, so it would be next to impossible even to track them down let alone ban them all. Regarding preventing users' passwords from being brute forced, you don't need a captcha for that. If you enter an incorrect password, the forum will let you try again only after 1 minute, if I remember correctly. And I'm not sure if your IP won't be banned for longer after a few unsuccessful attempts