There's really no legitimate reason why twitter allows follows via their API[1]. I'm not sure if they see some benefit from allowing spam-follow bots to run wild or what they could possibly be thinking.
There's also no reason to believe that botting is done via API in most cases. I would think it's easier to detect + ban that way. I don't know how it's done in the majority of cases, but I know it's not particularly difficult to write a bot that drives an actual browser and emulates human mouse behavior.