I think it's a fair question. If they had what they believed to be an improved (more secure) OpenSSL why not contribute the patch back to the community? After all they are standing on the shoulders of giants here, it seems a bit selfish to take an open-source project, improve it, and then not share that back.
Yes I know that many open-source licenses do not obligate one to do this, but it still seems like the right thing to do to me.
I can't say what happened in this case but after you submit a patch to openssl and wait 6mo, a year, two, or even close to four, and simply don't hear anything back or if you do that they are doing something their own way instead, you just sort of lose the will and might get to simply be pragmatic and do what you need for your own job and customers after a while.
Probably this. Submitting patches back to open source is expensive - you have to dedicate engineers to tidying up and submitting patches, for no benefit (other than being closer to upstream, which is of marginal use, especially if there are clear forks) whereas they could be developing new functionality. In the real world, the priority if often to do new development instead.
Yes I know that many open-source licenses do not obligate one to do this, but it still seems like the right thing to do to me.