There seem to be three practical workarounds. [Which I will hide behind the nifty new lj-spoiler tag, for those who don't care.]
First is the one suggested by
Second is an idea talked about in some of the Google forums: use page branching to honeypot the spambots to death. While Google Forms is quite simplistic, it *does* have basic branching capabilities: that is, depending on Answer A on page 1, you get to page 2, 3, or whatever. So you can theoretically define a single answer which is obviously correct to a human, but not to a computer, and branch to a dead end if the wrong answer is given, or even just sit and loop back to the same page. Nice in principle; however, it only works for multiple-choice answers, so a spambot that simply chooses those randomly is still going to get through unacceptably often.
So the third option, which I think is probably best for the use case I have, is a variant of that: have a question that requires *text* entry, for which the answer is trivially easy for the intended audience but unguessable for a spambot, ideally one that requires at least slight knowledge of the problem domain. Then you add a script to the spreadsheet itself (yes, as it turns out Google Docs is pretty nicely scriptable), that fires when a form is submitted, checks the entry, and deletes the row if the answer isn't correct. The result is a lot of traffic for Google, but is basically invisible for us.
It takes only a few minutes to implement (assuming you have an appropriate question for your audience), so it's a reasonable workaround until and unless Google comes up with a real answer. (Indeed, it's probably *better* than ordinary captchas in most cases, because it's less mental effort for your real audience...)