Security Q/A are de facto passwords. Treat accordingly.

Further, they're often a sign that a human employee providing support can override and manually authenticate a user. Whether or not that is really the correct user. Treat your entire account with them accordingly.

Yes. I answer something like "favorite color" with "blue green red" or "blue was the color of my first bike" if I can. I end up with something like this:

pet: answer school: answer friend: answer