Where it says "select a cryptographically secure random integer k", that is the step that causes different signatures. Most good software now selects k deterministically from the private key and the message as specified by RFC6979.
What do you mean by a "collision"? IIRC any signature with any message will validate to some public key. The key point is to have the given message (i.e. the one you want to verify, in this case, the transaction) validate to the given public key, not just any message validating to any public key.
I know it's improbable, nearly impossible that one would happen to generate a matching signature for a matching Bitcoin address, but from my experience there are many different possibilities of signature hashes.
The hashes created by random variables not selected deterministically still are legitimate, so in essence core is repeatedly using a specific signature out of the multitude possible. If I were to brute force signatures, its much more likely that I would hit one of them then that specific one made by core. Why can't we do something like what Segwit does, but with signatures, so there is only one possible signature?