Why do sites still ask me to do security questions?

Because their "security checklist" had an item inserted 18.5 years ago that says: "must have security questions" and so to pass their security audit (i.e., check the boxes on the checklist) they have to request security questions.

The best way to answer "security questions" is below:

sort --random-sort --random-source=/dev/urandom /usr/dict/words | head -5 | tr $'\n' " " ; echo

Adjust the head -5 to adjust how many words are output. Then your answer to "what was the name of the first street you lived on" could be:

crunched shirt wins ambushed titter

You gain an answer that has no relation to the question, as well as an answer that is easy to recite over the phone to a person (should the need arise).

Why do we still have dumb password requirements? Why do we have SMS based 2FA? Why aren't we all using passkeys?

Security changes take forever. Old school sys admin and IT security types don't really like to keep up with web changes. And users don't know any better. And grandma is probably less likely to mess up a security question than figure out what to do when she upgrades her phone and loses all her 2FA.

The bad guys get better faster than the good guys do

Haven’t seen that for years.

Bots signing up is a solved issue and I didn't get the memo?