Balancing security and memory
Sadly this is a great example of why even though online services try to make things secure by using a security question as a form of secondary authentication, it's never going to be safe enough. And while I like the idea of using more random knowledge, such as a library card number or frequent flier mile number, anything that doesn't use alphanumeric answers will still find risks like current methods today.
Personally, I like when sites use a combination of "here's an image you designated" plus random text that you enter as a form of secondary authentication, but as bots get smarter, even those might see increased risks.
So is the solution to just overhaul the password methodology and look at new ways of authentication which will hopefully reduce the number of password resets that seem to increase at the same rate of the complexity requirements?