What the Roadmap says for OpenVMS v9.2-1 is that it will include "SSL3
built-in." It's a little cryptic but I'm pretty sure that has to mean
that they will be moving from OpenSSL 1.1.x to OpenSSL 3.x as part of
the base OS install. Some layered products are already beginning to
require OpenSSL 3.x as a prerequisite.
Patches to OpenSSL will obviously be much more frequent than annual
since that's what they've been doing already, e.g., OpenSSL 1.1.1s and
3.0.7 kits were released in the last few days. They haven't always been
up to the minute, but the release cadence with VSI is vastly better than
anything that ever happened in the CPQ/HP/HPE era.
The Roadmap clearly states, "VSI expects to release new operating system
versions on a yearly basis after 2023" so the annual thing obviously has
nothing to do with patches or layered product updates.