Well like many such website "security" practices, if you know why they're bad, they are no longer a problem for you. But normal people don't know why security questions are a stupid idea, so when an otherwise reputable website (like an e-mail provider) asks you for your first car or favourite toy, they assume it's how things are supposed to be on the Internet.
Answer could be: Ford
Instead it is Enqc or droF or Gpse