For some time now, I've adopted the practice of making up harder-to-guess answers to such questions, e.g., saying that my first pet's name was OhMyGod, or that my mother's maiden name was Smithereens. It is important to give a different answer to each site, so that compromise of one site does not provide access to the others who use the same question. Of course, I then have to keep a record of what I have told each site, but I have control of that record.
You might think that if I can keep a per-site record of secondary authenticators, I can keep a per-site record of passwords. Of course, I do that, too, but you'd be surprised at how often I have to ask for a password reset, or a site de-authorizes my password, or some such thing, requiring using the secondary authenticator.
By the way, like most security professionals, I've stopped even trying to use memorable passwords for websites. I use machine-generated random strings of ten upper and lower case letters and digits. There are nearly 10^18 (a billion billion) of them, so guessing a random one is impractical for anyone with less resources than the NSA. By contrast, the success rate in the game of 20 Questions suggests that most people only have about a million memorable facts in their heads, and that there's a lot of overlap between different players' millions.