his point stands though.
unmanaged languages leave the possibility of buffer overflows, which caused huge problems in the recent past. those problems would have never existed if the SSL implementations were written in java or something. the time it takes to rewrite the implementation and the slight eventual performance decrese are orders of magnitude less of a problem than all of the security data of many many servers worldwide being potentially exposed.
for how i see it, it's just the good ol' "good enough", nobody decided to make the step towards a much stronger security.
what really surprises me is that buffer overflow bugs exist. like, isn't that the first thing you would quadruple-check if you were writing a security library? how is it possible that an unchecked input made it to production code without anybody spotting it?