This discussion came across my radar this morning via Hacker News.
Details are still being hashed out, but the fact remains that there is a Root CA shipping with Firefox that no one can account for. I recommend removing "RSA Security 1024 V3", but not "RSA Security 2048 V3" (which actually shows up on RSA's Audit Statement [PDF warning])
Hopefully, this is just one that's fallen into disuse over the last 8 years, and not a case where someone slipped a CA into the distribution and attempted to camouflage it by making it look similar to an existing CA.
Update from Kathleen Wilson (thanks to gregms):
I have received email from official representatives of RSA confirming
that RSA did indeed create the "RSA Security 1024 V3" root certificate
that is currently included in NSS (Netscape/Mozilla) and also in Apple's
root cert store.