The initial setting for controlling spam are conservative, it's better to see a few false negatives at first than it would be to turn one new legitimate user away.
As time goes by, the setting will be adjusted to be more aggressive.
EDIT: This is one of today's top story on the Boston Herald website:
Harvard websites turning into porn playground
It looks like "the richest" and "the smartest" universities in the world are having a difficult time fighting the spam trend too.
And a link to the original article on Steve Chapman's SEO Whistleblower Blog
Even the birthplace of the browser, UIUC, isn't vulnerable to this epidemic. The home of W3C, MIT, isn't either.
So now for the technical side, getting more aggressive means potentially blocking people that shouldn't be blocked. We're only blocking in the upper half of the LAMP stack. Going full coverage presents challenges, IP blocking sounds good but you have no idea what the IP address really is. It could be a broadband connection, open proxy, Tor endpoint or an infected botnet computer. And the way DHCP leases go, blocking an IP in generally an ineffective solution since the spammers are just going to rotate through and come at you from a new block of addresses the next day. Blocking entire network blocks leaves you with a site that is inaccessible to a portion of the Internet.
So it's a balancing act of providing security while not compromising usability and performance.