Similarly how many security features work, it doesn't have to be 100% (or it may even be impossible to make it 100%), it just has to be good enough/make the attack expensive enough to deter it. There aren't really any easy task left for humans that a suitably trained ML algorithm couldn't do, and anything more complex would just annoy people. Even if there is such a task, the line moves quickly -- back then reading some colored digits from an image was unfeasibly hard/expensive for bots. Nowadays your phone extracts text from your images in the background.
In this vein, anything requiring ML/expensive computation is still a worthwhile addition, as today the primary purpose of a CAPTCHA is to slow down/rate limit bot-activity. Your single server use case is not really realistic -- it can be easily reverted (it won't come from 3600 IP addresses, otherwise the rate would be much lower), and 3600 times an hour is.. not a lot for a computer. So it seems to do its job well.
In this vein, anything requiring ML/expensive computation is still a worthwhile addition, as today the primary purpose of a CAPTCHA is to slow down/rate limit bot-activity. Your single server use case is not really realistic -- it can be easily reverted (it won't come from 3600 IP addresses, otherwise the rate would be much lower), and 3600 times an hour is.. not a lot for a computer. So it seems to do its job well.