It's an affront to common sense to put security as an afterthought on top of another protocol instead of making it an intrinsic part of the protocol. But that's what you get when you use ancient technology (and yes, TCP is ancient by computer standards) and simply refuse to accept that it is necessary to invest into it.
But security does not sell. Only now people finally start to slowly catch on and realize that there might be a reason for security. They still don't know jack about it. They only know they "kinda wanna be protected". And that's what HTTPS and OpenSSL offers. It looks secure, Joe Randomsurfer doesn't understand jack and the whole security community will certainly not stand up and admit that it's all ... well, we can't really say it's insecure but ... well, I wouldn't bet my job on it either.
The problem with the whole shit is that it is very, very hard to prove without a doubt that something is insecure when it's not blatantly so. And OpenSSL is not blatantly insecure. It doesn't have the gaping "dude, that's fucked up" holes. When you look through the past year, from heartbleet to POODLE, you'll notice that ... ok, heartbleet was a blunder and a half, but POODLE is by no means something you will instantly understand without quite a bit of understanding of the whole security process behind it and even then it may take a while to wrap your head around it.
We're heading into the area of chances and probabilities. And I do predict that we'll see a lot more of this, attacks where it's not clean cut and "easy" to end up with a way to break security, but we will find that systems we thought to need 10^DAMN_LOT tries to brute force only need 10^VERY_LITTLE, because of flaws in the implementation or even the algorithm itself, where it becomes known that most of the "possible" keys were in fact impossible.
That's what I'd expect from the next few years. And I kinda fear that we will find out more than we'd want to know.