The core encryption functions of an older version (0.9.8, I think) was spun off into a separate module and certified for FIPS. The certification process is that the code is provably correct and the implementation is flawless, which is why it takes so damn long. It is also why only the core crypto transforms are certified.
You CAN, and vendors DO update the wrapper module around the core functions and update things without having to go back under certification.
Case in point. The Red Hat version of FIPS-OpenSSL was susceptible to HeartBleed, even though the core FIPS module was based off of an older version that was produced before the code error was introduced! Why? Because the error wasn't in the core crypto but rather the wrapper, non-crypto code. The actual cryptographic transforms (AES, HMAC-SHA, etc.) functioned perfectly, but information was leaked by the non-crypto code.
LOTS of people -- like almost everyone in the U.S. Gov't or contractors that work on their systems -- use the FIPS certified module for OpenSSL. Or, at least, Red Hat's version of it.