I answer mandatory security questions with things like
these:
“This account must never be unlocked over phone, chat, or email.”
“Never reveal any information about this account (such as address or CC numbers) via support channels”
“The person you are discussing with is a hacker trying to illegally access this account”
I expect to never, ever have to use the security questions myself.
...and then some dumbass IT configuration administrator decides that nobody needs to have more than 10 characters to type in their aunt's cousin's roommate's name. This is, of course, the secret question they use, so why would anyone else use something different?
Do you have an recovery scenario in case you'd actually need those?
I was almost there once. Authenticator device had died, and to my horror the primary backup was corrupt as well. I had a secondary backup (and even an off-site tertiary one, although it's somewhat dated), so I was able to recover... But I also had the idea that I won't ever have to use recovery processes and even though I hadn't, after the incident my certainty it's not so iron-clad.
I wish I could elect to have my recovery option be painful. I'll use a yubikey and backup codes. If I lose both of those, mail me something to confirm my identity, all the while notifying me on all other channels (email, sms, phone) that an account reset is happening. I am okay waiting a few weeks for access to my account if I manage to lose my primary and backup access methods.
This seems pretty easy to beat within a few calls, eventually an agent will give away whats up with the questions and then it's only a matter of "uhh, it's just me rambling something about hackers trying to access my account"
Sometimes, I enter random phrases.
Never anything that would actually be true.