[falcolas]

> Security patches don't break the API.

shouldn't

When the patched library is not part of Debian Stable or RHEL's repositories (for example, if you require features from a release less than a year old) all bets of API stability are off.

OpenSSL and libc are not the only libraries which are patched for security that people use.

[jvoorhis]

And heaven help you if RedHat decides not to backport a critical bugfix. OpenSSL on CentOS 6 has 99 patch files, a script named "hobble-openssl" and non-trivial changes to the build system that affect linkage, making DIY backports less than trivial.