[eksith]

This shows you've never built a banking site.

All financial institutions will greatly benefit by sending less to the browser, not more. CAPTCHAs as we know are not foolproof, and should be limited. Instead, things like session/ip based hashing of field names, generating anti-csrf tokens and the like are trivial for the backend.

The vast majority of complexity in most projects is needlessly self-inflicted. DRY is dead, less-is-more is dead.

Let's Include All The Things is how Amazon became as pathetic as it is for a major commercial website.