Even more, an unbreakable signature can have it's private key stolen by hacking, by agencies inserting personnel into the companies, by agencies blackmailing key personnel and by agencies compelling the companies legally or ex-legally to hand them their keys.
If it's using 2048-bit RSA, that's perhaps equivalent to a 256-bit private key.
So entirely different ballpark to CSS.
On the narrower point, though, it's been shown that Dual_EC_DRBG is broken, and that the NSA values compromised the implementation instead of strengthening it.
¹ This has what looks like a good citation but requires a subscription to access the relevant paper (sigh).
1. Hand the ciphertext to the opponent.
2. Hand the decryption algorithm to the opponent, embedded in a software or hardware device.
3. Hand the key to the opponent, possibly embedded in the hardware.
4. Ask your opponent to decrypt the ciphertext, view the plaintext, and then kindly not copy the plaintext in any other way.