In regards to Tor's unwillingness to compromise, I'd say it's more so stubbornness than malice. Having read through the discussion on the 2nd ticket (since the link to the first one seems to be broken), quite a few users seem to be opposed to the idea due to their sheer distrust for Cloudflare. Considering the fact that we're talking about a pretty hardcore segment of an already rather niche (at least compared to the widespread usage of the Internet) privacy crowd (of whom probably very few actually had to manage a website with large and resource intensive traffic), them putting their foot down and raising their battle flags against Cloudflare, a service that they perceive as ideologically incompatible, instead of trying to find a compromise is anything but an unexpected reaction.
There's a sneaky little way of bypassing Googles captcha, but requires coding a script, and using that. It's likely how all of these newbie accounts are being created automatically, and being used for malicious purposes. I'm not sure how we would combat this either as removing Google's image verification would result in a lot more spam than we already have. Unfortunately, the way to bypass the google image captcha is fairly well known, and seems like Google don't have any plans on changing it.
AFAIK there just isn't a better solution than the current implementation. I've seen people suggest implementing a captcha per post, but honestly they don't care, because they can automate it with a script. I'm sure theymos is well aware of this issue too, and requiring a captcha per post would affect legitimate users more than that of the spammers. Implementing a simpler approach wouldn't really benefit the forum. In regards to the Tor issue, and how long it can take sometimes. Then, we need to weigh up the pros, and cons, and see if we want usability over forum readability. If it were removed then it would certainly lead to mass amounts of spamming, but the current implementation isn't foolproof either. At least, I don't think so. I haven't had to log on in months, but I'm sure its exploitable like all the other captchas on other sites.
I'm curious: what method specifically are you referring to? I've seen talks on getting through Google's new NoCatpcha Recaptcha
a small percentage of the time (which is worrying but nowhere near as troubling as the susceptibility to OCR most other captchas suffer from) but I wasn't aware of any reliable and automated way to bypass it (since outsourcing them to human captcha solvers via a paid (~2 bucks per 1k captchas) API isn't exactly automated).