The whole hierarchical deterministic wallet thing, as well as lnurl-auth, are based on the idea that PBKDF is random enough. The only thing that is actually random is the seed.

You have claimed insecurity but I still don't get who's the attacker and what information the attacker learns that he shouldn't have.