Attackers get the service people on the phone, and spin a believable story about just why they don't know the answer to the security question, or have lost their PIN, but it's really important that they get this changed. They pull the support worker onto their side, partners against the evil bureaucracy. The support worker feels good, for helping someone out of a tight spot.
Pfft! More like "support worker helps the customer out because the customer is getting angry and he doesn't want a supervisor call". It's amazing how stupid users are all-for improved security until they "lose their key" and then blame the company for "not being helpful" when the protections work designed against them.