Or literally anyone who knows you. It's based on the idea that strangers are the ones who will try to screw you over but everyone knows that it's people who you know that end up screwing you over in most cases. So security questions are basically useless in all those cases.
While I agree with you, some people answer these questions with deliberately incorrect answers. If my closest friend tried to compromise my bank account with my security questions, he'd get them all wrong (and even he doesn't know my wrong answers).
I just checked my KeePass and turns out I still have the entry in the recycle bin.
It was 5 digits. Admittedly, that was "back in 2012," but still. For shame, Bank Austria!
That's a huge part of why I use my brokerage, Fidelity, as my main bank, they support Symantec VIP TOTP. I prefer my regular TOTP solution, but this us miles ahead of literally every other bank I've used.