If it comes out of a noise diode, it may be filtered noise rather than white noise, but it should be pretty random once you allow for that. Atmospheric static or radioactive decay or whatever would also work, but are a lot more complicated and no less vulnerable to tampering if you're presuming you can't trust the manufacturer -- arguably more so since these are at least as subject to influence from outside the box.
As always, there are more bad ways to implement security than good ones.
As always, perfect security is largely a myth, and cost goes up exponentially as you get closer to it.
As always, the real key is understanding when good enough for your purposes really is good enough... and when you should just go completely outside the box and have someone flip a coin 64 times or grab the nearest UPC or otherwise take a number from some source that they trust is Completely Irrelevant.