Of course humans can get past C/R. Truth is humans can get past anything. If we build a spam system so good a human being can't get past it, we're surely blocking tons of real mail.

People forget that our paper mailboxes get half a dozen pieces of junk mail every day, even though in that world it costs 50 cents to a buck to print and mail each piece. But 6 pieces of junk mail, once a day, while annoying, is only that -- annoying. It doesn't overwhelm the mail system.

As noted, C/R is the system to use when you can't identify an incoming mail as spam or not spam. If you make a solid identification either way (for example it is talking about millions of dollars held in a nigerian bank account) you don't challenge it.

My simple prompt (not really a challenge) on this blog has a human spammer get "past" it once or twice a week. A low enough rate that I manually delete them fairly quickly. Frankly, I don't know why they do it, since I put "nofollow" on all the links in posts so the search engines ignore the links they enter.

However, the 1 to 2 is not unexpected. You don't want a perfect anti-spam system. What you want is a perfect delivery system, that delivers real mail as reliably as possible, while getting rid of the most spam that it can. C/R as the final stage of a spam filtering tool is the best currently available approach, if the forgery problem can be handled.