Bots are often programmed to defeat the most popular validation methods, such as phpBB's graphical validator, but even a simple custom validation will defeat virtually all of them. I just use a randomly generated 6-character hex string that people have to fill in at the bottom of the form, and since I started doing that, I've gone from hundreds of spams to only a single spam submission - and even that one may have been put through by a human.

The problem with graphics is that a sufficiently obfuscated graphic is also hard for people to see, and if the graphic doesn't load, people can't submit the form. Text is easier to defeat, but anyone who's spending that much effort to defeat your site security specifically can probably come up with much nastier ways to mess with you. Email bombing, or loading your most processor-intensive page hundreds of times per second, etc. Your security only needs to be good enough to stop the usual stupid, impersonal spam bot, but not so good that it irritates your users.