Your site is not compromised. The captcha simply prevents a bot from submitting the form over and over again. It's the same as if a human quickly filled out the form and clicked submit and did this over and over again. There's not any kind of a security breach. Captchas are pretty good at preventing bot spam.
One clever thing you could do is make a hidden input field and make it very appealing for bots to fill it out, no validation or anything and label and name like "Last Name", something that is common, but that you aren't already using. When the form is submitted that value will be sent to the server. Since a person couldn't have seen the input, the only way it will be filled out is if a bot found it in the document and filled it out. So, if you find this value, don't send the mail. More on this here (click).