Munged ?

Yes.

Or, for a fuller answer, no.
An address that’s munged with either hex or URL-encoded entities will get a bit less spam, since there are still people running old harvesters that don’t know better, but it’s still vulnerable. Matt, how long would it take you to write the two lines of code to get around that munging?
The address that I’ve been munging by writing it in the page with Javascript from out-of-order parts in the JS source has gotten three spams in going on two years, so I suspect that if there are Javascript-aware spambots, there aren’t too many of them (harvesting by hand seems as likely). I’d be willing to say that accessible Javascript spamproofing is reasonably effective (though backing it up with a hardened feedback form is probably better than the throwaway address), but as WillMaster‘s happy to tell you, entity encoding doesn’t really do anything much.

We should probably have an option to never display email addresses.

Rather than adding YAO (Yet Another Option) I’d rather make a decision to simply not show email addresses publically (we can keep them in the admin interface) and change the wording from “Website trumps email” to “Email address never shown.”
I’ve noticed many technically adapt people leaving obviously fake addresses in comments lately, presumably because they assume it may be shown somewhere.

Somewhere I saw someone’s comments saying:
Link: [ ] (https:// or mailto:)
If you really want to let people who are crazy enough to expose themselves do it, it would work. I threaten to just remove my Email: input all the time, but I haven’t ever done it.

change the wording from “Website trumps email” to “Email address never shown.”

Some of us have already done that. ??