We're still testing this security question vulnerability (testing means the account will be locked for 24 hours after the password change), but a reader sent in this tip about how easy it is for a hacker to bypass the security question on Facebook.
Apparently, if you tell Facebook that you no longer have access to your email account(s) or mobile phone, you'll get the common security question prompt. If you answer the security question wrong (or a hacker does), you can verify your account by sending codes to 3 friends. Trouble is, a hacker could plant fake friends into your account—if you automatically accept them—and then go through this process to reset your Facebook password.
To protect yourself from this vulnerability, hacker9 recommends registering your mobile phone on Facebook and enabling all the account security settings (including the recently mentioned "Login Approvals" feature). And, of course, be wary when accepting strange friend requests.