OpenSSL is not great about compatibility. If you link to it dynamically, there is a good chance users have to recompile when it is updated which in practice means they'll need to update.
This theoretical advantage of shared libraries also doesn't materialize, if containers are used.
I do sympathize as I spend a lot of my time maintaining distro packages.
But I also fear that in this new world of golang and rust projects with statically linked libraries, few people take their reporting responsibilities seriously. Hell, if they did, a serious vulnerability in a commonly used library would result in an avalanche of CVEs.
This theoretical advantage of shared libraries also doesn't materialize, if containers are used.