I'd argue that people should not be using PRNGs seeded with cryptographically secure entropy to make private keys especially on browsers in particular (which is the only method they have, they got no CSRNGs) because you're relying on the webpage to supply a good-enough entropy. Mouse and keyboard input that's made during (not before) entropy gathering can also be tracked within the browser and webpage itself so all it takes is a malicious addon that tracks such movement and they can re-derive the entropy. When a PRNG is used this also allows them to make the private key too.
The script itself is secure enough and provides sufficient randomness from any bruteforcing attack and that is the main point of the topic. I think we have to eliminate any malicious party that could intentionally modify the entropy sources to make it less random... Running a phishing site with a pre-defined seed is sufficient for this. Malicious add-ons and stuff like that shouldn't matter because the webpage isn't designed to run on a compromised computer.
As for the randomness, I've done a quick pass over their entropy collection[1]. I think the way the entropy is generated is sufficiently random, barring any possible interference externally.
[1]
https://github.com/pointbiz/bitaddress.org/blob/72aefc03e0d150c52780294927d95262b711f602/src/securerandom.js