Perhaps we need to take a second look at where the "lambasting" first took place. It was well, well before this recent OpenSSL incident.
For many years now, the security community taken as a whole has very vocally stated, "Never roll your own crypto!", and been highly critical of anyone who has attempted to do so without the security community's blessing.
For many programmers, maybe that is good advice. They probably shouldn't try to design their own schemes, and probably shouldn't try to build them, either.
But I think this attitude has also driven away a lot of very talented programmers who perhaps could have caught an issue like this much earlier on, or perhaps even avoided it in the first place.
So I believe it's misleading for you to portray the users of OpenSSL as somehow being responsible, especially given how much effort the security community has generally put forth toward discouraging more direct participation from these users.
The security community took a holier-than-thou attitude for a long time. It has now been shown that they aren't necessarily any better at avoiding critical and very harmful bugs in their code, however. So of course people will call them out. And there's not a thing wrong with doing so.
Wait a minute, does OpenSSL === The Security Community? It's an honest question because I really don't know who is behind OpenSSL and what their standing is in the security community.
That said, your final sentence seems unfair either way. The warning not to roll your own crypto is to avoid the all too common noob pitfalls whereby a reasonably experienced developer invents a security scheme that is completely and utterly broken from its very conception. It's not tell smart people they are too stupid to do crypto (which is a lot of programmers' knee-jerk reaction to being accused of ignorance on any technical topic), it's merely to point out that there's a lot of existing knowledge out there about crypto, and if you don't go learn about it first then your contribution will almost certainly be of negative value.
It's not meant to say don't contribute to OpenSSL or one of its competing libraries, it's meant to say that you need to be grounded in the state of the art and have peer review in order to produce a solid cryptography product.
I got the same vibe from the chorus of "never roll your own crypto" rhetoric I heard on the Internet -- that I shouldn't even bother looking into OpenSSL's code unless I went to the Shaolin Temple of Crypto and trained under Master Schneier for 10 years. Just because the intent of the message was one thing doesn't mean that it won't be interpreted in a completely different way by the intended audience.
The impression I got from "don't roll your own crypto" (especially after the Debian key bug thing) was that crypto code was so nuanced and complicated that even if you thought something was a bug, you were likely to be horribly wrong for really complex reasons outside the realm of understanding of anyone who wasn't an expert, and everyone would laugh at you for even bringing it up.
After an entire webpage was created to ridicule the Debian developers for how stupid they were when they changed something in OpenSSL's code in their distro's version (complete with references to Dilbert strips about faulty random number generators), I just assumed that I shouldn't even bother trying to look at OpenSSL's code (and especially not try to send patches or ask questions on their mailing list) unless I was willing to make a lifestyle out of it, lest I get ridiculed in the same way (but probably not at Debian's magnitude). I wasn't willing to make a lifestyle out of it.
Obviously a lot of security people and cryptographers develop a holier-than-thou attitude, no doubt from spending their lives scrutinizing things that people continuously get wrong and for which failure is catastrophic.
That attitude, off-putting though it may be, shouldn't cause us to read too much into what they say.
For many years now, the security community taken as a whole has very vocally stated, "Never roll your own crypto!", and been highly critical of anyone who has attempted to do so without the security community's blessing.
For many programmers, maybe that is good advice. They probably shouldn't try to design their own schemes, and probably shouldn't try to build them, either.
But I think this attitude has also driven away a lot of very talented programmers who perhaps could have caught an issue like this much earlier on, or perhaps even avoided it in the first place.
So I believe it's misleading for you to portray the users of OpenSSL as somehow being responsible, especially given how much effort the security community has generally put forth toward discouraging more direct participation from these users.
The security community took a holier-than-thou attitude for a long time. It has now been shown that they aren't necessarily any better at avoiding critical and very harmful bugs in their code, however. So of course people will call them out. And there's not a thing wrong with doing so.