cpanel developers probably doesnt care about security - they just follow the trend of making it easy to get a certificate so that people who doesnt understand what ssl is thinks the whole website/server/data/application is secure because it shows https:// and has a nice security seal... ok that was probably slightly sarcastic
security-wise I dont think the pkey should be generated at the server at all, and definetely not in non-ssh mode whm login - it should be on an isolated system on a network that does not have any systems doing fun stuff (no browsing, no IM, no irc, no email, etc) - wether its wintendo, mac or linux you can just download and install openssl and create your own pkey and csr locally.
(I think a pkey should be treated nearly as safely as a gpgp/pgp key, see
www.gnupg.org for how they recommend keeping it on removable media and only use it on a completely offline machine).
Generate Private Key
$ openssl genrsa -des3 -out keyfile 1024
Generate CSR, (Common name is domain name, skip all optionals)
$ openssl req -new -key keyfile -out csrfile
Remove encryption from a key (needed to get a clear copy to past in the install dialog in whm, make sure you are using whm in ssl mode before doing so)
$ openssl rsa -in keyfile
Generate self signed cert - if that is all you want for testing
$ openssl x509 -req -days 360 -in csrtfile -signkey keyfile -out certfile
