This reminds me of multiplying two random numbers...

    super_random = rand() * rand(); 

...in an attempt to make it "more random". You end up destroying the distribution and making the output a little more predictable.

Except in this case, it took knowledge of the implementation to determine that raw SHA-256 output cannot be safely password_hash()'d.