Some RNG's use the time of the day in milliseconds as seed, I guess those are easy to brute force. I guess it's all about the size of the seed and it's randomness!?
I would have thought https://github.com/g0tmi1k/debian-ssh would be the most famous issue in many people's memories of poor (read: absent) PRNG use. ;)
One would hope no RSA key generation software is so stupid as to use that kind of RNG. OTOH, apparently 0.2% of RSA keys were generated by something effectively that dumb.
https://people.eecs.berkeley.edu/~daw/papers/ddj-netscape.ht...
You could say that our understanding of PRNGs has improved a bit since then.
A recent thread about brute-forcing PRNG states in a game:
https://news.ycombinator.com/item?id=18880528