Yes, the Moodle code could be changed to consider having a security question. You could suggest this at the Tracker (you'd need to open an account):
However, what happens if someone of a group selects the "Search by email address" option? Four out of the five participants have to reset their passwords? And assuming that the security question was developed, what would happen in this case? Which security question would the system use? The first one found in the database?
I concurr with the opinion already given by everyone else.
Anyway, given the requirements/limitations you have, the problem really lies in students not having rules to follow.
1. Usernames could be made a bit more difficult to guess, but easy to remember. This would alleviate one case (search by username) but not the other.
2. Students should be told that they musn't share their username/password with anyone else, and that by doing that they could face some kind of disciplinary action.
3. Students should be made aware that every action is logged (IP/date/time/etc.), from unsuccessful login attempts to everything else within the system; and that any action against the rules (like resetting another's password) will be met with a disciplinary measure; given the small number of students sharing an email, it shouldn't be too difficult to determine who isn't complying.
4. If you haven't, you may consider using the Site policies option:
This, of course, is just an administrative solution, but being aware of the possible consequences might deter students from acting funny.