There's an entire infosec community with white hat hackers that would love to find holes in openssl and talk about them at conferences. Perhaps they gave up on openssl because it has been impenetrable for so long?
As far as I know it was mostly just conventional neglect like you’d expect. Everyone assumed someone else was dealing with it until it was too late to fix.
It’s much improved since then though. Huge portions audited and rewritten.
