If we want to limit botting, I think a few other measures could (but not necessarily) be put in place:

• Longer cache on order book API.  This will not affect regular users but will require additional work by bot owners to grab up-to-the-moment data for their bots.  However, this just pushes them off to webscraping the orderbook.  Making the orderbook require authentication helps to identify the bots, and rate limit pageviews (kind of how CloudFlare detects a ratelimit violation when they help protect against DoS).
  
• Rate limiting the OAuth API order creation (or any order creation without 2FA)
• Charging a very minor fee for order creation and cancellation...  minimal enough to not affect normal users, but significant enough to add cost to running a bot 24/7 with constant order updates.  Something like 0.00001 maybe.  Perhaps allow the first 20 order updates per day to be free, to not impact the average user at all.

Really, these are just inconveniences for the bot owners, but they require some work and/or expense to overcome.  More barriers lead to fewer bots, and provide a fun challenge to the people attempting to create a profitable bot.  It is, however, a cat and mouse game..   as people build smarter bots, combatting them becomes more complex.  At some point the cost/benefit isn't worthwhile, and this cuts into dev time spent on new features or bugfixes.