As I explained, it's a monoculture in that there are organizations, mostly U.S. government bodies, that will not deploy cryptographic primitives unless it has been standardized by NIST. This means strictly sticking with 3DES, AES, SHA-1, SHA-2, and SHA-3. For random number generation, this means CTR_DRBG, HMAC_DRBG, and Hash_DRBG. For password hashing, it's md5crypt, sha256crypt, and sha512crypt. It goes on and on.

I used to work as a contractor for the Dept. of V.A. and am familiar with the red-tape required to implement libraries in code, push patches to production, rely on 3rd-party libraries, etc. It's a nightmare. As an admin, I couldn't certify a hard drive was digitally wiped unless it did the DoD 3-pass, even though I'm confident a single pass of zeros is sufficient. I couldn't use my LUKS encrypted laptop on premesis, because the encryption process hadn't been vetted by a committee. I couldn't deploy bcrypt as the password hash for authentication.

So, my reference to "NIST/NSA monoculture", is the bullheaded requirement that only NIST-approved algorithms can be use, after committees and approval. It's a monoculture, because at least for the V.A., only government standardized algorithms are allowed.