The excuses I've heard for it include 1) can't do compression after the crypto, and 2) it reduces ciphertext available to attackers. SSH and PGP do it too.
What it does is eliminate the structure of the plaintext. Lots of practical crypto implementation attacks depend on plaintext structure, especially in their most naive and straightforward implementations.
A conceptual purist like Colin Percival would argue, correctly, that if there's an attack against a cryptosystem that benefits from knowing the distribution of bytes in the plaintext, that's a damning statement about the cryptosystem itself.
