While $wgCaptchaBadLoginAttempts appears to activate CAPTCHA after a certain number of bad password attempts are made for an existing account, there needs to be some means of blocking an IP for repeatedly giving random answers to the CAPTCHA itself.
Bots routinely try to play the odds ([[bugzilla:40496]] mentions 4096 possiblities in Asirra, twelve photos with two possibilities, cat or dog, apiece - mw:Extension:VisualMathCaptcha or other simple maths problems in their default configurations are worse still as a random answer to a two-digit sum will be correct 1% of the time).
If the offending IP landed on the block list (and mw:extension:GlobalBlocking if installed) on the third failed CAPTCHA attempt, spammers would be less tempted to try to guess their way past these systems.
There needs to be a way to detect repeated failures (such as dictionary attacks) in much the same way as mw:extension:AbuseFilter can implement three-strikes rules for ongoing vandalism. ([[bugzilla:34913]] raised the issue that AbuseFilter does not have a mechanism to receive reports from other extensions for things like repeated CAPTCHA failures, so its counters can't be used directly here.)