The hook for Captcha is the <?php do_action( '*******' ); ?>
This appears once on the login template just before the register button as <?php do_action( 'register_form' ); ?>.
What this means is that someone has to use Captch before registering but can login without Captcha, which sort of defeats the aim.
I have added <?php do_action( 'login_form' ); ?> just before the login button and another Captcha shows before login. So all is well until Woo updates again?
Could this not be looked at by Woo as this is a bit of a security risk?