Re the 'few bits weaker' for Koblitz curve, I *believe* they refer to the fact that curves of this type (j-invariant 0, y^2=x^3 + 0x +C), have a non trivial endomorphism y-> -y, x -> qx, where q is a cube root of unity in the finite field. Through some dark arts this reduces the amount of work needed to brute force a private key by a factor 6, i.e. you lose 2 to 3 bits of security. But I don't even know what paper I read that in, so barely above the 'revealed to me in a dream' level of citation here.

About suspicions about parameter selection, the big story was the hashing used to create the group generators, but it is also here that using a prime order group *should* help .... in a cyclic group of prime order every element (except the identity) is a generator, and there's some vague sense in which "if one generator were not secure, nor would any other be" (see: "random self-reducibilty").

If you want to see a world class expert explain people's concerns about the NIST p256 generators, check this out:

https://youtu.be/8WDOpzxpnTE?si=znJt-skcxFOJ3CJn