This vulnerable parser of attacker-controlled remote input was written from scratch in C in 2020, without a fuzz harness even though OpenSSL is critical infrastructure and is already hooked up to oss-fuzz.

It is simply difficult to reconcile these facts with the idea that it is a very good team doing very good work.