phpBB shouldn't ship with CAPTCHA plugins that are demonstrably broken. It gives a false sense of security and it bloats the code.
We talked about this during dinner, and what we could do is:
1) Remove all the broken plugins
2) Place a (big) link in the anti-spam ACP page which links directly to the "anti-spam / security" page/tag in the extensions database of titania.
3) Move the code to a demo repo (like the ACME demo), so ext authors can still view the old code and learn how to create their own captchas if they want to do so.