The more I learn, the more I find that it's dangerous to have non-cryptographically-strong
RNGs. As you say, for anything more than picking which fortune entry to display, i.e. for
anything greater than toy problems, you very quickly rise into areas where exploitation of
predictability is problematic. People get used to practicing with a "sufficiently random"
idea, and it leaks into implementations in areas where it becomes a problem. Communication is
an access point; memory mapping is an access point; program input is an access point; data
storage is an access point; data output is an access point.
As to the OpenBSD response, this shouldn't be terribly surprising, given that having a name
for security becomes momentum. We've seen them brush security problems under the table
before, for love of keeping that "0 holes" statistic alive.