As I read more and more about how this stuff works under the hood, one realizes that many wallets (Electrum, Mycelium, Blockchain.info, Trezor) rely on mnemonic seed generation both as a seed and as a backup option in case you lose or want to port your private keys to another wallet.
Only on bitcoinaddress.org site do you actually "see" the process or randomization.
What is the source of randomness for other wallets/services mentioned?
Bitaddress.org also uses window.crypto.getRandomValues in the browser for entropy, other than your keyboard and mouse.
For most online wallets, they rely on their own servers to generate the entropy. For desktop wallets like Electrum, I strongly believe they are using the entropy from the RNG in the OS. Mycelium uses RNG from /dev/urandom for entropy.
And what makes chosing 12 words out of a fixed list of 2048 words such a good source of protection?
Probability. There are 2048 possible words for one letter in the 12 word seed and the entire 12 word seed would have 2048^12 possible combinations. The probability of anyone trying even 1/10000 of the seeds is remotely even possible. It would probably take several billion tries of seed per second and still take a few hundred/thousand years.