The "maintainability" problem is unlikely to be changed anytime soon, from what I gather.
Since I started using OpenSSL in '01 (and likely for a number of years before that), there's
always been a -DPURIFY compile option to disable the one line that remained commented out
after the Debian package was fixed. The docs specifically say that the use of an
uninitialized buffer is intended to increase entropy, and that you should disable it at build
time if you need a purify- or valgrind-friendly version.
It might be better for distros to use existing flags like these rather than diverging from the
upstream release, at least when such flags are available. The hassle of a makefile mod vs.
the hassle of patching the source again with each new release seems comparable, if not
weighted in favor of the former.