>Additionally, making "security questions" passwords in and of themselves is going to tremendously increase the volume of your support tickets. At some point, you need to make a cost/benefit analysis and make a decision including that, not just looking at "what's more secure if we assume our users are stupid".
I think as long as you can choose your own level of security, this is actually the best solution, even though some people will not have a firm grasp on how much security they are choosing to have. Right now the default is a fairly low level of security (answer the security questions correct, plus possibly an e-mail loop), but you can just answer the security questions with another password if you want to, assuming that they don't have any kind of thing that detects weird answers. Unfortunately, almost no one lets you selectively disable things like security questions or password resets.
I think as long as you can choose your own level of security, this is actually the best solution, even though some people will not have a firm grasp on how much security they are choosing to have. Right now the default is a fairly low level of security (answer the security questions correct, plus possibly an e-mail loop), but you can just answer the security questions with another password if you want to, assuming that they don't have any kind of thing that detects weird answers. Unfortunately, almost no one lets you selectively disable things like security questions or password resets.