I'm not sure that OpenSSL is the project they ought to be contributing to. It looks to be beyond repair architecturally (as a project as well as codebase).
It's a readily-available collection of complicated things (ciphers, digests, cryptographic protocols, etc) that everyone needs. Implementing 'yourself' (your company, whomever) takes lots of time and thus money. It seems the world made the assumption that this open source project was the end-all be-all of cryptographic implementations.
It was developed outside the US at a time when the US had export restrictions on strong crypto. Now that those restrictions are gone, anybody can just use NSS instead.
Are the alternatives much better? GnuTLS has had it's fair share of embarrassing bugs too and I can't think of a 3rd open source product that's as mature.
NSS is more complicated, for a lot of reasons. As I recall, it handles its own keystore which it doesn't share with other implementations (e.g. the ca-certificates package in Ubuntu/Debian); it requires you to initialize the keystore manually and teardown when you're done, but sometimes you don't know if anything else has done the initialization, so you don't know if it's safe for you to tear it down.
There are other issues as well; not blocking problems necessarily, but reasons why it might not be a great implementation or why it would break the way current SSL works for distro maintainers and users.
