The more pieces of information required, and the more secret they are (it is debatable if security questions are secret as they can be socially engineered), the smaller the chance of getting hacked.
However one disturbing trend in IT is to use the security questions as a method for changing/resetting a password. In this way an account becomes far LESS secure than a username/PW account since the questions are easy to guess or brute force with a dictionary. If a hacker has already taken over an email account (sometimes via guessing such weak questions), it opens the door to accessing many more accounts.
Personally I steer all my clients toward anomaly/outlier detection systems. It takes highly paid experts to setup and train, but in the end is much more effective that 2FA, esp with minimizing the maximum losses from fraud. Personally I think questions like "What city did you attend high school?" is a 2000s anachronism, but some companies, like airlines, are still living in the 1990s.