(WARNING: Offtopic. I'll try and make it short.)
I wonder how do bank web sites, e commerce web site, mail services which must be the hottest target for spammers are able to get by.
Not at all. They are, generally, low-priority targets, in part specifically because they have defenses, but also because they offer little of what the spammers are looking for.
I am also surprised since the UBCD is offered with a GPL licence, not for the individual 3rd party components but their packaging code into an image and the menu options code etc. (correct me if I am wrong, though), why should anybody target this site (at least a human - there should be some business case - everybody, must get tired simply funding for vandalizing and getting no benefit - unless of course there is some animosity.)
You're misunderstanding both spammers' motivations and their habits. (I'm discussing exclusively commercial-link spammers here, not actors involved in phishing or other types of malicious activity.) They operate like car thieves, trolling for targets of opportunity. They don't care
at all about the target itself, heck they aren't even interested
in who or what the target is, other than that it allows them to achieve their goals. And as Victor said, the best defense is to make difficult and tedious to breach your defenses, enough so that they'll move on to the next, more vulnerable target.
Their goal is to post links to the commercial sites they're spamming for. In part, as free advertising for the site they're linking to that'll get seen by anyone browsing the forum, But even more importantly, to goose the ranking for those sites on search engines like Google, which weight results based on how many external links to them exist on other sites. So, the main reason they avoid things like bank and mail sites is that they don't offer ways for users to post public content that'll get seen by users and search engines.
Their ideal target is a forum site like one, where newly-registered users are allowed to post content containing links. Especially if they're run on well-known, standard forum engines like phpBB, which make their interface predictable and allow them to script much of the spamming work. Then, pretty much all the human spammer has to do is solve a captcha, and the rest is automated.
The only stronger defense, and one that some very-active forum sites have implemented, is to impose a "waiting period" of N days or N posts before new users are allowed to make posts containing links, or even a period of N days after registration before they're allowed to post at all. That often will
be enough to run off the spammers, who won't bother to return in N days when they can just as easily move on to the next site that doesn't have such a requirement. But it's also a serious imposition on the real
users, far more so than even the most onerous captcha.