I am looking for a simple way to generate a private key made out of 3 parts, such that any 2 parts are enough to reconstruct the key.

This is what I came up with:

a = random 256 bit number
b = random 256 bit number
c = a xor b

And now:

private key = sha256(sha256(a) xor sha256(b) xor sha256(c))
public address = bitcoin_address(private key)

I will fund the address and keep a, b and c in three separate physical locations.

In my opinion, the benefit of using this method over multi-sig transactions or secret sharing schemes is that it is much simpler. It can be done in a shell script with common sha256 and xor utilities. No need to write multi-sig transactions by hand or use specialized tools. Of course it is slightly less flexible - its not clear how to emulate 2-out-of-4 multi-sig for example, but 2-out-of-3 is sufficient for me.

What do you think? Is there some security issue I am overlooking?