I’d agree with that, but it doesn’t mean small websites don’t get hacked all the time… they do.
But on another note:
Captcha’s don’t do anything against "attack" as much as they "prevent spam."
If you have a database driven website (like wordpress, etc.), an "attack" could try to change the content in your database.
If you don’t have a database driven website, there’s not much to attack, except maybe trying to get in via ftp, or editing 777 files…