Using a random answer doesn't help against an attack it the security questions are stored in plain text. I'm not saying storing security questions as a hash is any better practice since these questions just need to go away. I am saying that most likely they aren't stored as hashes so a phone operator can query you hence random is only as good as something like BarkBarkRuffRuff for a maiden name.