Had you not added "simple", I'd have had a strong case in point with OpenSSL. OpenSSL has always been at least a bit controversial (i.e., breaking binary compatibility on not just a patch release aka x.y.Z, but a semantic level even lower) and issues have still gone undetected for a long time.