The whole point of XenForo's Q&A is that a human CAN GUESS THE ANSWER. Otherwise it is kind of pointless.
The whole point of personal Q&A used for additional security on many sites is that is should be DIFFICULT for anyone to guess the answer.
There is a complete disconnect here between the two types of Q&A.
Let me draw you a venn diagram:
Examples of XenForo Q&A used to check you are human (these are Q&As I've used):
Q. what colour is the sky on a clear/cloudless day?
A. blue
Q. a zebra has stripes in two colours, they are black and _____?
A. white
Q. the capital city of Australia is?
A. Canberra
... these should be EASY for a human to guess. The fact that XRumer has them is annoying, but not a security hole.
Examples of personal Q&A used as additional security for sensitive information (not real examples I've used):
Q. your mother's maiden name:
A. Smith
Q. your father's middle name:
A. Fred
Q. your favourite band:
A. Coldplay (you can definitely see these are fake answers, because I would never ever use Coldplay as my favourite band - unless I was trying to be tricky and avoid social engineering!).
... these should be DIFFICULT for a human to guess. If XRumer has this information about you, it IS a security problem.
But that is totally irrelevant to XenForo, since it does not use this personal Q&A type information (at least not without a 3rd party add on).
XenForo Q&A is completely irrelevant to security debates - the answers to these questions are supposed to be common knowledge - otherwise people would not be able to get past them and access your forum.
All this being said (and I digress now) - I have a personal problem with these types of personal Q&A being used as additional security - things like my date of birth is often used as a security check, but there are a lot of people who know this information! Similarly, my full address. Even my mother's maiden name and my father's middle name are common knowledge to many people. Not all that difficult to get this information with a bit of social engineering or even in some cases, just some good Google searches!
If you really want additional security beyond a simple password, you really need to move to the realm of 2-factor authentication, then to access the information you need to not only know the password, but you need to be in possession of a trusted device as well. That's much more difficult to achieve for a hacker.