People often change their passwords, but rarely their security question. Many security questions can be answered from a quick search on Google or Facebook. Married women almost always include their maiden names in their Facebook account, for instance, which makes it easier for old friends to find them. However, it also gives the "mother's maiden name" answer for all of their children. Relatives' middle names, a wide range of birthdays, your hometown, where & when you went to school and other information pop up that same way pretty easily. If I can answer your security question, I can have your password any time I want it.
Best thing to do is to lock down your privacy settings on Facebook and whatever other social networking sites you visit (encouraging friends and relatives to do the same), then choose a security question that can't be easily answered. Also, keep passwords and security questions for financial and work sites different from social sites (like CBT here). They may not be able to get your info from your bank's database, but they might be able to get it from your favorite forum's. If the answers are the same for both, then it doesn't matter where they get it.