Hi Freddy!

Since you are from Germany, questions concerning the 1.x-branch please to the German 1.x forum.

Graph CAPTCHAS are no more safe anyhow - in most of the cases (see the freeware pwntcha for examples and crack rates).
The one you are using is pretty easy to crack, because the bold sans serif font you are using sticks out from the background.
Actually you have some options in v1.7: increase the strenght of the captcha - use a serif font, rather a sans serif font - and try to create another background image which merges with the font.

The list of not accepted words may also help...

If you have access to the server-log, you may try to track down the spammer's IP and put him/her on the banlist. Hopefully he/she has a static IP - otherwise your odds are bad...
On the other hand if the the entries have the same origin - let's say throughout a couple of days - you may opt for rougher methods. You can deny access to the site based on the IP in your .htaccess-file. Just send the guy a HTTP-403 status code. Example (.htaccess):

# Block spammer-IPs
deny from xxx.xxx.xxx.xxx
ErrorDocument 403 /path/403_forbidden.html

If you want to block more than one IP, just add another line.
'/path' must lead from the document root to the directory containing the error-file '403_forbidden.html'. The error document must exist - otherwise a HTTP-404 (not found) is produced.
This method has the advantage that the forum is not involved at all - it simply blocks your site form any access. Testing is a little bit tricky - if you have a static IP yourself.

If this does not help, most likely you would have to wait for the final 2 version of mlf. Though the CAPTCHA/IP bans/not accepted words are essentially the same - there's additional spam protection by Bad-Behavior and Akismet. Here we had some spam in the beginning, but right now we have about one entry/month with only the math-captcha active.