I tracked this down to the generation of the RSA_EXPORT key. In this case, bits from /dev/random are used, even though the generated key is horribly insecure anyway. Wouldn't it make sense to use only STRONG_RANDOM in this case, and not VERY_STRONG_RANDOM? (I have a distinct dejà-vu feeling about the whole matter. Odd.)