The tokens are only good for a few hours anyway, and if an attacker actually does break one — what would actually be gained? The ability to guess the nonces used in subsequent reset requests. If you're able to generate a password reset request and get the RNG into a predictable state, then try and log in as the user you're targetting and make a password reset request there. You won't get the reset email because you don't have the target's email account, but you can predict the nonce they got. So you can now change the password and log in as the target.
Hashing won't make a difference because if the original random number can be predicted, then its hash can be predicted as well.
But the attack hinges on being able to predict the next nonce that will be used (it's the one after the one the attacker had just got that yielded the RNG's current state). If you generated (decided using a different RNG) a random number of such nonces (up to, say, ten thousand) and used the last one, then the attacker would have to brute force through on average ten thousand nonces using each one to try and reset the password (and up to twenty, because the same one-nonce-in-ten-thousand mechanism would have been used to generate the nonce the attacker got). But that's activity that should ring alarm bells anyway, and could be dealt with through a simple backoff mechanism of "five failed attempts, please wait five minutes before trying again"; they'd run out of time before getting even a few dozen attempts and would have to start all over. Generating and discarding nonces might take a little extra time, but it would be going out by email anyway, so normal users won't notice.
In the meantime the target may be oblivious to all this (having not seen the password reset email yet), and may even log in normally, at which point the password reset request could be discarded completely, and the attacker is left shooting off at nothing.
The Debian vulnerability was different: "...there are only 65.536 possible ssh keys generated, cause the only entropy is the pid of the process generating the key." source
No amount of munging those keys would have worked, because without additional entropy there would still have only been 65536 possible outcomes that could be brute forced. (Those keys are now mildly blacklisted; if any come up then security monitoring software is likely to flag them as possibly compromised.)