The proposed alternatives are crap. Why shouldn't an attacker read the CSS...

Many (maybe even most) people who use CAPTCHAs are never going to be targeted with a personalized attack. Instead they're using CAPTCHAs to prevent generic, spray and pray spam. The bots know how to post a comment on a Wordpress blog, but making even a small tweak to your comment form can get rid of 99% of them.

> select three hot people but there's only two on that image