Security certifications are one reason. OpenSSL maintains a module for FIPS compliance, which includes an entire boatload of weak and broken algorithms nobody else bothers with.

This kind of security certification seems like the exact opposite of actual security

It is. There are other related issues like at some point RedHat patched back options removed/changed in openSSH 7.0 because

* they upgraded a major release (6.x to 7.x) in "stable" channel of their distro * their customers ran some ancient stuff that required those options.

We've failed a security audit because our checks just compared OpenSSH version ("if version is above this it doesn't need any change in config") while Red Hat's OpenSSH version was downgraded to earlier version settings/security issues

AWS actually has two libraries they use instead: s2n and aws-lc https://github.com/aws/s2n-tls https://github.com/aws/aws-lc

Because as horrible as the OpenSSL code is, the best available clean implementation would mean using a language that's weird and French.

Do you mean HACL* / ValeCrypt / EverCrypt?

A number of projects like Firefox and the Linux kernel uses them. It's boring at that point. The generated code is C and assembly can be used like any library, but it has been formally verified.

But, there is ring and rustls too. A number of projects are shifting to it

Hah, I meant ocaml-tls which I think is still the most mature option in this space. But yeah there are other approaches.