"The problem IMHO is that OpenSSL was used for highly sensitive commercial uses (like Gmail, Amazon and others)"
I think it's worth noting that uses can be highly sensitive without being commercial (or governmental). Not that this takes away from your point, which I agree with in broad strokes - responsibility lies first with those deploying; they are the only ones that have access to the full picture.
I think it's worth noting that uses can be highly sensitive without being commercial (or governmental). Not that this takes away from your point, which I agree with in broad strokes - responsibility lies first with those deploying; they are the only ones that have access to the full picture.