I was reading Kim Cameron’s blog about Schneier’s post about the secret questions that people ask when people forget their passwords. My third-hand interpretation of what he said: the secret question is so easy that it renders any password useless and becomes the point of weakness.
I don’t see it that way, because the secret question is usually (?) sent to a registered email address. Assuming that the email address is legitimate, then one would need to somehow intercept the email at the server, in transit, or the client.
I don’t think this does much to change the security of passwords, since they are relatively weak security anyway. Passwords are useful for a variety of low-security but not no-security needs.