The concept is actually fairly clever. The fact that RSA, more or less quietly, held on to the initialization time and seed value (everything you need to reconstruct the passcode a given fob will display at any time during its life) for every fob they sold... Less clever.
Quite embarrassing when persons unknown breached RSA's network and recovered those, then went on a defense contractor hacking spree(this is what finally forced them to admit that anything had happened, they'd been weaseling around about how harmless the hack had been up until that point).
At the time we all thought that RSA was just being wildly incompetent and/or pandering to customers who lose the key material for their authentication servers and come whinging for it. Now, I'm not so sure... Perhaps somebody else was interested in seeing that material stored.
Even now, after that incident, I'm pretty sure that they still don't offer the option to key-fill them yourself, on your site, without a third party involved (and it wouldn't be hard, the contacts are just under a little sticker on the back, a few pogo pins and knowing what probably ttl-level serial commands to send, and that'd be that. But no. At least they are damned expensive.)
What I love about RSA's 'denial' is that they never actually deny having backdoored a product, or having worked for the NSA, merely that 'we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products'.
That definitely leaves having unintentionally backdoored a product on the table, and (in strictest logic chopping) might even include developing the intention to weaken a product, so long as the intention developed after the contract or project was engaged.
Keep it classy, RSA, keep it classy.