Yes, you found the one and only EE in Matrix. As you say, CAPTCHAs are not used extensively within Matrix, and never for actual security, so few people ever notice. This is why we specifically targeted this bit of code.
It would be nice to not spread FUD about the security of the product though. Matrix code has been routinely audited by security companies for more than 5 years. A lot of our clients, particularly government clients, like to have these independent audits done before they launch, and then periodically thereafter. We also have a full-time security engineer embedded with the development team to do internal audits and keep people’s security knowledge current.
And finally, I honestly can’t remember why we called that directory “fudge”, but I’m pretty sure it had nothing to do with another f-word :)