Just curious, what leads you to say this?
I worked in IT, did software used by all the big bank employees and lots of other software at other companies. So were good about security, others not.
I have seen encryption was not used a lot in various companies, there are 2 common ways to encrypt the web users data, (1-way and 2-way).
Hopefully by now for passwords the 1-way is used everywhere, but if you ever click on "forgot password" and they send it to you, you can be sure it's not 1-way. Nobody can read a 1-way encrypted password as it cannot be decrypted. The system compares what you typed in after encrypting it to the stored value and if they match, then you must have typed in the password.
2-way means , the system can decrypt it. using a key, which of course means if the database is stolen they very likely have the key too.
The other way is to store it in plain text, which is easy.
If the rep can read the challenge question, it means it is probably not encrypted, (it could be done in the 2-way manner, but that is not much better for security). Frankly it's rare that anyone considers challenge questions needing security like passwords.
I've even had Reps give me clues at to my mother's maiden name (which was not a real name)