Running a bunch of blog sites, I have learned a thing or two about comment spammers. They are incredibly persistent, and more than willing to go to the ends of the earth to get a link to their (usually virus filled) sites.
My suggestion: There should be a flag to remove the "URL" field from the comment form, and to immediately block any comment that comes in with anything in that field (which would be code accessing). This is step 1.
Step 2 would be to create a code per site for the comment form, with hidden field that is filled with this item. It could rotate daily automatically or be created on the fly based on various things. This would it so that comments had to come through the form, and not through direct submission, as they would not have the current code. Perhaps even offset it based on the post number or name, something so that the same code cannot be used repeatedly.
Finally, comments should default to "never approved". Open comment systems are created a cesspool effect for wordpress installs, and Google is taking action to punish blog owners as a result. Comment spam is probably one of the top 5 ways now to get free linkbacks to your spam sites, up there with forum postings, guest book links, and similar methods. WordPress really needs to take stronger steps to block the flood in a systematic method, so that all site owners, even the ones who are not inclined to use plugins or understand the configuration can be better protected.