My first question was serious--If there is a secure and reliable commercial ssl library out there, I know people would pay for it. No one wants to deal with these reoccurring OpenSSL issues while they work to clean up their code.
If they're really any good, I'll at least say that hardly anyone will pay for a secure alternative. It's hard to sell more secure anything to businesses. Much less a protocol library that they have to integrate into everything. Especially at the prices they're sold at by the companies that might be competent enough to make a good library. They want to get back their engineering investment while users want the product for next to nothing.
There's also the problem of integrating it into GPL software. Many companies are using such software. Companies specializing in software I.P. don't want their stuff released as GPL because it was used in a GPL app. There's ways to skirt around this but they add complexity. Stuff like this is why I recommend BSD-style licenses so that good, proprietary stuff can be integrated with it.
I agree most small time companies would not spend an extra price for a library. Even though doing so would make sense based on the financial risk you take by utilizing a free option.
With that said, major vendors who sell very expensive gear that use open source libraries like OpenSSL could afford to pay a license fee per device, and then pass that price on to their enterprise customers. An enterprise customer would gladly pay an extra 500-1000 dollars for a stable SSL/TLS library if it meant they wouldn't have to upgrade their devices every ~8 weeks due to OpenSSL bugs. Its cheaper to pay for a more stable/secure library (if one exists) than to upgrade mission critical devices so often (or worse, get hacked).
One thing you can say is that a bank has a lot to lose--they'll invest in whatever it takes to secure their networks and devices.
They could and that is one of the models. It's a very niche, tiny group that would. I mostly saw developments in high-end smartcards, premium guards in defense, custom work for government/commercial by contractors in high assurance... that's pretty much it. There's so little work in high security field that I straight up left it and now mainly do R&D on various problems. Even NSA uses HAIPE and SCIP internally for Type 1 (their best) stuff. They clearly didn't trust SSL/TLS, even default IPsec, from the get go. Most just use whatever is cheapest with majority of those buying "certified" products doing it for extra government sales and false due diligence (C.Y.A.).
That includes banks. They get breached all the time in various ways while trying to hide it or obscure what exactly happened. I've seen this myself. One said the industry goal is to keep their losses at about 6% or less of risky revenues. They have just enough security (and incompetent enemies) to achieve this. The other trick is "investing in" politicians to keep liability laws in their favor to block most lawsuit risk. Past these two, most banks are focused on just cranking out more profit. Just like everyone else.
Post-Snowden, we've seen increase demand for real security. Yet, it requires you to ditch a fully-featured OS, most Internet functionality, a bit of performance, and a significant chunk of the wallet. Further, the widespread use of IT and security that are shit makes most people not know what a strong offering would even look like. These combine to make the sales process for high security an uphill battle. Not likely to change: even I tell new people interested to treat it as a hobby and do mainstream INFOSEC practices to ensure job security. We embed our style invisibly where we can, though. ;)
