"Security questions" aren't for security, they're to reduce support costs
Companies were tired of having people say "I forgot my password" and not having a way to establish their identity, so these security questions were invented. Only problem is that they act like passwords that are simpler to hack. If you're a public figure, or someone targets you, answering them honestly leaves you wide open.
When you only have to answer one or two of them correctly, and get multiple chances (probably unlimited) it is going to be a lot easier for guessing attacks to succeed as well. Which is easier, to brute force a complex password, or guess the name of the high school someone went to? Even if you don't know where they grew up, you can guess names like "City High" or "North High" and have you'll snag a lot of people. Ditto with a childhood pet, there are probably a few dozen names that cover half the pets people had as kids!
These security questions have spread like a plague of bad security practice, just as dumb as the policies that force you to use ever longer and more complex passwords, and still change them every 90 days - all but guaranteeing that they'll be written down somewhere.