Wouldn’t it make more sense to have the testLimit property in CCaptchaValidator instead of CCaptchaAction? testLimit has to be defined in the controller’s action() method instead of the rules() section of your model. The latter feels more right to me. Same applies for min/maxLength.
The docs are also not really exact for testLimit:
This sounds like after reloading the img for 3 times, a new one is generated. Instead, this happens only when validation fails 3 times.
Finally i’m missing a way to find out, wether testLimit was actually reached. We sometimes might want to take some special action, if this happens.