The bug is in the compiler, not OpenSSH. The OpenSSH developers explicitly erased memory with memset. GCC decided to remove those lines without any warning. There's the bug. (Here come the language lawyers...)
What's the difference between GCC deleting parts of your code, and an attacker hacking into the source code repository and deleting those parts of the code?
The C standards committee addressed the problem in 2009 with memset_s. [0] The GNU developers reject patches and state they hope this feature is never implemented. [1]
Pretty much every claim you just made is wrong, but at least you provided the sources to demonstrate such. In short, dead store removal is not a bug, it is explicitly allowed. C11 Annex K is optional, and the rejection was not based on this feature, it was based on other problematic requirements imposed on a conforming implementation.
CompCert is not free software. This non-commercial release can only be used for evaluation, research, educational and personal purposes. A commercial version of CompCert, without this restriction and with professional support, can be purchased from AbsInt. See the file LICENSE for more information.
I'm not entirely sure if something like that is good for an unpaid-for open source project...