Mmmm... maybe it's bullshit, but it is also true that the best defense against bots tends to be proof-of-work, which has to be done client-side.
Not an issue for me now... but when I ran sites that were subject to spam, either comments or user accounts, POW methods were the only ones I ever found to be successful at stopping bots. So no Javascript, no joining or commenting.