The default web-to-lead functionality that Salesforce provides makes it really easy to drop an HTML form onto any web page and submit leads straight into a Salesforce Org.

E.g.

<form action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" method="POST">

    <input type=hidden name="oid" value="00D100000000001">
    <input type=hidden name="retURL" value="http://">

    <label for="first_name">First Name</label><input  id="first_name" maxlength="40" name="first_name" size="20" type="text" /><br>
    <!-- Additional fields -->

    <input type="submit" name="submit">
</form>

Looking at the generated HTML the only input that is unique to your Org is the oid. Once a bot/spammer has that they could easily POST data to /servlet/servlet.WebToLead and create as many leads as they want (upto the default 500 per day).

While it is great the web-to-lead is so easy to implement it opens you up to receiving lots of form scrapping spam. Worse still, once your OrgId is out in the wild and they know you are using web-to-lead you can't just fix up the form to stop the spam coming in. You'll be forever trying to pickup the pieces with validation rules and field validation. See also – Ideas: Web 2 Lead & webform spam

Since the oid/OrganizationId is so sensitive it seems like it shouldn't be in the form in plaintext and ideally shouldn't even be sent to the client.

Do people just resort to server side processing to create the lead (and hide the OrgId) or is there a way to secure the generated form?

Of course, once you are doing server side processing you don't really need to use web-2-lead and can use the APIs instead.