Smells like a combination of bureaucracy and a rather interesting little glitch in the math... somebody observes that you could make an PRNG that works that way, somebody else says MAKE IT SO and before you know it, it's an NSA standard, even though it's obviously never going to work because it's incredibly slow and obnoxiously complicated. Bureaucrazy, as they say.

Doesn't everyone use a hash function (for moderate security), an entropy system (high security), or a quantum hardware system (extreme security) already? There's even a hash-based generator in the standard; I don't see why people would suddenly use the one that's in all ways the worst option.

Didn't I just read about something like this in that story aaronsw is publishing in his blog?

if they love speed so much that they demand each cpu they buy has a POPCOUNT, then it's rather surprising that they'd love the random number generator "3 orders of magnitude slower", no?

I would be surprised if they didn't at least try.