i thought about it a bit : by putting the random number generator into /dev/urandom they can claim plausible deniability if the random numbers can be guessed (and you end up with a compromised session key). However that might also be unintended, not on purpose.