AFAIK, smart bots can solve 9+2=?. This is the reason big websites are increasingly placing trust on Google's Re-CAPTCHA. Unfortunately, Google's Re-CAPTCHA does not provide word challenge anymore. All are just images and they dont get solved even if you are correctly pointing them. The reason behind this is Google's machine learning AI is far from perfect as of yet. They assume, good IP will always correctly solve the captcha. But, they dont. Hence, the irritating problem we face with Tor.
There's a sneaky little way of bypassing (automating) Google's captcha, but requires coding a script, and using that. It's likely how all of these newbie accounts are being created automatically, and being used for malicious purposes. I'm not sure how we would combat this either as removing Google's image verification would result in a lot more spam than we already have. Unfortunately, the way to bypass the google image captcha is fairly well known, and seems like Google don't have any plans on changing it.
AFAIK there just isn't a better solution than the current implementation. I've seen people suggest implementing a captcha per post, but honestly they don't care, because they can automate it with a script. I'm sure theymos is well aware of this issue too, and requiring a captcha per post would affect legitimate users more than that of the spammers. Implementing a simpler approach wouldn't really benefit the forum. In regards to the Tor issue, and how long it can take sometimes. Then, we need to weigh up the pros, and cons, and see if we want usability over forum readability. If it were removed then it would certainly lead to mass amounts of spamming, but the current implementation isn't foolproof either. At least, I don't think so. I haven't had to log on in months, but I'm sure its exploitable like all the other captchas on other sites.