It's weird that PHK framed it this way, but he's on the right track, regardless. Compromised entropy is one of the largest persistent attack surfaces in the state surveillance war. It's darn hard to notice when your client-side random key is leaking key space from prior exchanges, unless we're all running perfectly vetted software every day of the week and twice on Sunday and nothing bad ever happens to the golden master distribution chain. Developers never lose their private keys ...
Compromising the entropy of 100 major web sites (Google, Yahoo, MS, etc) may be possible. Compromising the entropy of hundreds of millions of clients would be vastly more difficult. OK, the evil government may persuade MS to modify every copy of Windows - after they tried that years ago with US vs Export versions of crypto - but what about Linux and other open source OS's? Any attempt to play with the client side of crypto is going to get noticed very quickly.
As for compromised private keys, yes it can happen, but only on a small scale. All serious SSL crypto (banks, Gmail etc) is done using Hardware Security Modules. HSM's store the private keys securely, performing all key operations internally. The only time the private key will leave the HSM is when it's backed up onto a smart card (which is itself a form of HSM). So large scale compromising of Private Keys is not practical.
Alternatively, the Evil Government could theoretically persuade Google, Yahoo et al to use one of a number of pre-approved Private Keys. Even that would be noticed very quickly. There are a number of monitoring sites which collect X.509 certificates regularly for most major sites. We are looking for forged certificates being used for Man in the Middle Attacks. So if a key is ever used across multiple web sites it will be detected very quickly.
I still think the whole scenario is a Movie Plot Threat.