Today I got a comment POSTed by a spam bot straight into /wp-comments-post.php, even though Disqus was enabled. The bot knew how to post new comments even if no form is available - it's very simple to do by using a manual POST request.
When Disqus is enabled, it should disable the built-in comment system, as all comments should go through the Disqus JS form.
I have created a patch which uses the dsq_can_replace() logic to determine if Disqus is enabled and tested it on a development site with Disqus enabled and disabled. When Disqus was enabled, it has successfully errored out with a 500 error and an explanation. When Disqus was disabled, it allowed the comment to go through.
I will post the pull request in a minute.