Because they need to do really fuzzy matching for call-in support, which is where the security question gets most used. Hashing makes that impossible and raises the average call length since the agent would have to type each response rather than simply compare to the answer on screen. No amount of normalization would make "The Blue Dragons" match "Dragons" or "Warwick Elementary School" match "Warwick", or whatever the answers to the questions are. Security questions aren't precise like passwords.