IIRC there was already a security question when you first registered (at least, I made an entry for it in my keepass DB, so I must have been asked one somewhere). It was however not asked to reset the password, which makes me wonder what it was good for in the first place.

Exactly this. All previously stored data is compromised. Obviously, people can't change their birthdates, but the password reset function unquestionably has to rely only on newly-supplied, uncompromised data.