It's not about having to be 100% effective, it just has to be worth it considering the trade-off of introducing a hurdle for every legitimate user using your website.

I would probably value my time, spent solving an annoying reCAPTCHA tapping on slowly fading pictures of what an American would consider a school bus before being asked to try again, more than a fraction of a cent. Of course reCAPTCHA probably considers me an edge case using Firefox with tracking protection and not being signed into Google, but it's just rude to require users to deal with this on a common basis. A local government website here requires me to solve a reCAPTCHA every time to view or refresh a timetable even though it's already locked behind an identity verification step involving logging in through my bank.

It would be smart to put some sort of CAPTCHA or other verification step to a website when signing up with just an email, because otherwise the cost for someone to automate making a million accounts would be $0.00. But it should at least be properly implemented, I've run into websites that use the invisible reCAPTCHA v3 and when my Firefox browser inevitably fails the check, it doesn't even give me a challenge of any sort, just an error message and I can't sign up or even sign in to my previously made account. A literal hurdle I can't get past as a legitimate user. If I were a spammer though apparently it would only cost less than a quarter of a cent to get past it.