Account selling is bad practice in my book! Usually ends up involved in some scam or another.
As mentioned above I believe that most account trades are done for signature deals.
I think forcing people to have a security question would be a horrible idea and would result in many more accounts getting hacked.
We already have the security log which notifies people when a password was changed in the last 30 days