This is why I've generated random passphrases for every security question I've answered in the last decade, stored alongside 2FA data (not in my password manager).
The best part is you usually can't use special chars in security question fields, so I just max out the field length. This makes them functionally the same, and as secure, as any recovery code.
It wasn't fun however when one of the companies I transact with required me to answer one of the questions over the phone as a means of authentication.
I could tell the customer service guy was just as tired when I finally finished responding. :)
I've told them "I just entered a bunch of random nonsense" and he's like "aha, yeah, I can see that" and proceeded to help me. Makes me want to just create some fake-but-real-looking information for those questions instead...