'Scammed' is not the right word. Ever heard the aphorism "never attribute to malice what can be attributed to incompetence"? Manager types (and unfortunately probably quite a few programmers) have no idea what CAPTCHAs do, and I would bet money that somewhere, somebody has vetoed a server CAPTCHA in favor of a client CAPTCHA because it sounded easier or something. I'm not saying that's what happened here, but don't say it was obviously malice when you just don't know.

Scam does not imply malice.

Usually scammers treat their victims as customers and wish them well.

In this particular example it was combination of technical incompetence [not being able to deliver proper CAPTCHA] with scam [of getting paid for project that did not deliver on promise].

What if they don't know they don't know how to make a captcha? It's an obfuscated image, those are easy to make and check! If you don't know basic things like "never trust the client", and you don't know that they exist to know, then you may not know to tell the client to have someone else do it.

That doesn't excuse the programmer. As a web programmer, it is, to some extent, their job to know when they're out of their league. But second-order knowledge can be a rare skill.

Many programmers have no idea how a CAPTCHA is supposed to work. It never occurs to them to think though how someone would break it. Someone tells them the client wants a CAPTCHA, they go "oh yeah, that's those weird letters on the screen", and are probably pretty proud of how they did it.

Don't believe me?

Think about how often you see obvious SQL injection problems - the same (lack of!) thought process is responsible for both.

You are assuming that the client knows what a CAPTCHA is. Probably the manager at the client-side said "Oh yeah, before I forget to mention it, add that funny image you see on websites - you know, the CAPTCHA thing, a guy at my gym said it improves security. We definitely want good security in this project!".