apart from the fact that the current openssh issues are pretty much unrelated to crypto code, I'll still stick with not implementing my own crypto, just because
a) I would not have thought of the issue of using a standard library call to load data.
b) nobody would have checked my code and fixed it
so in the end, I'd still be vulnerable while openssh is now fixed.
I think this is a very key point. OpenSSH gets targeted for vulnerability analysis by very talented people, on a regular basis. I would be surprised if there are more than a dozen organizations on the planet that can deploy those kind of resources against their homegrown code.
a) I would not have thought of the issue of using a standard library call to load data. b) nobody would have checked my code and fixed it
so in the end, I'd still be vulnerable while openssh is now fixed.