The problem with captcha's is that as better bots get written that can "read" captcha's the captcha images themselves end up getting more and more difficult for legitimate users to read. This is a major accessibility issue. Also if you use widely available captchas then the chances are enough other sites are also using them to make it worthwhile developing scripts to crack them.
I've got pretty average eyesight and above average skills but I find some captchas quite irritating so for many people they can be a right old pain in the 'arris.
There is a secure and accessible form I've seen
http://green-beast.com/blog/?page_id=71 but when I went through it I decided it was overkill for any purpose I've ever needed, I did nick some aspects of its security model though.
My method isn't perfect but it does fluster the common types of bot enough to reduce the type of crap that can come through it which tend to either replay the form or resubmit the post data to the form responder.
1) When a form is legitimately submitted create a random hash in a database based on the submit time and any other random process you want to apply to it, this is served to the form as a hidden field and checked against the database during form submit, if it's valid then the hash is deleted, a new one written to the database and the form submitted otherwise the input is ignored. Depending on how busy your form is you might need to alter how many times you honour each hash. This ensures that the form has been completed in the UI meaning that bots can't just keep submitting the POST to the responder.
2) Replay bots tend to target a specific form and complete it as if a user had. A simple time out on the form of a few seconds before submitting. Not enough to irritate a legit user but prevents bots from quickly running known exploits against the form. If someone is specifically targeting your form this won't fox them for long but most "hackers" are opportunists who tend to target weak sites that bots find rather than specifically go for a target site.
3) Include at least one combo box on the form with a default that won't allow the form to submit (e.g. "<select category>")
4) Clean and validate all input.
5) Only allow the form response file to process POST on a referral from your server.
6) Track and time limit multiple submissions from IP addresses.
7) If your code triggers a bot alert give a bogus "thank you for your message" type response, this will prevent the bot owners from investigating your code too closely manually and finding a workaround.
8) Turn off autocomplete on fields to slow down anyone who might want to manually plug data into your form.
Using these steps you end up with a form that doesn't throw up any obstacles to legit users but would require custom scripting specific to your site to exploit, most people don't have the skills or patience to bother just to send you ringtone offers and pen1s enlargement pills.
Oh yeah and don't show your e-mail address in the code
