It would be very helpful to everyone if anti-spam feature was in the core and enabled by default.
There's a very effective, very simple anti-spam feature that works with comments and all other forms (registration, login, etc.) that requires no user input, that works with JS and a token.
There's a plugin we use with WP called WordPress Zero Spam that uses this method, and it does live up to it's name. Never had any spam issues on any sites.
It basically generates a random token and stores it in the database. It adds this token on the page using JS, and if token is present and matches database token form submission is validated. If JS token is not present or doesn't match database, it's marked as spam. Validation is performed in the backend.
A checkbox to disable it on Discussions page (or Security) would be helpful if for some reason someone wants spam.
Based on this method:
No Akismet, no captchas, no checkboxes. No external APIs. It's simple and it works.