If it's name is randomized, or if the file doesn't even exist, it can't be found, except only by chance.
Then how does a user find it? Take greasemonkey for example--you can just write a script to pretend to be a user anyway. And if you send it to a user's email, well we know that bots already know how to activate themselves.
Having a static file to process comments is a MISTAKE, a weakness, and a security hole.
Well maybe. Maybe not. It might be easier to lock down wp-comments.php if it's more isolated. I think that any user that needs to access the comment function needs to have a form that allows them to submit to. (We're still talking about asymmetric web-design, right?) So I think it might be much the same thing.
I agree with you 100% that spam is a security problem. (But I think you should submit it as a feature request anyway.)
Ipstenu explained it better than I did. If it's simply a matter of redirection, it's arguably easier to get around than something like a captcha. Captchas (used to) work because it required an extra computer (your brain) which was very fast and good at pattern matching, therefore leveraging something a human can do easily that a machine cannot do easily. As far as I can tell on various software, even captchas aren't working well anymore and if they've actually figured out how to do the pattern matching as well as humans, then I don't know what to do next.
If it's working for you, then great. But I think this is a case that obscurity is part of your formula--I think part of the reason it's working for you is that no one wants to write the code just to crack your sites (yet?). I think the moment you include it into WP, it'll do little to prevent the spam for everyone, and just make you like the rest of us ;)
Oh by the way, thanks for sharing it. I'm not trying to knock down your idea. For the people who find your code, I'm sure it will help. My opinion aside, if you file a bug to WP on it, then maybe your idea or something similar can get included: http://core.trac.wordpress.org/