Interestingly enough, this seems to be insecure by design. You can find the Java file here. In the source code, you will observe the following comment:
/** Called by cordova.js to initialize the bridge. */
//On old Androids SecureRandom isn't really secure, this is the least of your problems if
//you're running Android 4.3 and below in 2017
Conclusion: you should either make a note about this and accept the existence of this insecure method to support old Android versions, or you should take action. Taking action could include: not use Cordova, open an issue in Cordova's bug tracker, or edit the Java file yourself.