It does seem odd though that the passwords are encrypted and not hashed, but the hints are in plaintext. Why didn't they also encrypt the hints? (Rhetorical, the answer is probably just laziness/incompetence).
Even if you do use bcrypt() or similar for hashing the passwords then encrypting the hints would prevent similar tactics being available from just a dump of the table contents.
Hashing is the correct way but big companies commonly do things wrong. If they had a sqli vulnerability in their site without knowing it's also possible that they didn't even know this database existed.
It is almost certainly not the case that adobe is using the same key for all 3 operations. It's probably more effort to do anyways