I am the developer of clickcha. Appreciate the input, but you seem to be forgetting that bruteforcing can be avoided by temporarily banning the IP for some time after certain number of incorrect attempts.
You could make it much harder for bots by asking the user to click on two numbers (e.g. highest and lowest). I don't think that would be too much extra work for the user as most of the effort is in scanning through all of the numbers.