I don't know much about OpenSSL but what I know for sure is that refactoring the code itself might not be enough. There must be some process involved to keep track of what was refactored, what was not, enforce rigorous testing, systematically review the code, and make sure all of that is publicly available (when I look at the website, that information is nowhere to be found)
