I always assumed this isn't the only source of entropy they use, but it's added to some other random generator in the computer. I've just tested it on https://www.bitaddress.org: without using my mouse (Tab many times to be able to type in the entry field), I filled it by holding the A-button. After that, I did the same again. As expected, this produced 2 different private keys.

bitaddress.org) Uses a PRNG that is seeded with a 256 byte array. That initial seed is used by the PRNG to generate 32 bytes for each address on the page based on the same 256 byte seed pool. To inject entropy into the PRNG's seed pool browser fingerprinting, time, key presses, mouse movements and hardware randomness from the OS are all xor'd together. As well the output of the PRNG is xor'd with the hardware randomness.