So, To those of you that are seeing these spam signups, even though you have the "users can register" option turned off, What Plugins are you running? and to confirm, they're recieving the "Subscriber" user role?
Are the signups ongoing, or did they simply show up after the 3.2 upgrade, and you havn't seen any extras? (if this was the case, it's likely you had a old infection which was being hidden via CSS)
If they're ongoing, do you have access to the server logs for that time period? If so, is there any sign of a cause in there? (And if you're not able to interprate them, are you willing to send them along to the WordPress.org Security Team?)
It seems rather pointless for a bot to be exploiting WordPress and "only" creating Subscribers, they've got no permission to do almost anything.. I've seen some OAuth/Facebook Connect/etc style plugins ignore the WordPress users can register option and create accounts for any user which asks for one.. so thats a potential source of unprivledged accounts..