An embedded platform that hasn’t been ported to and may be impractical to port to because it’s so different. There may be other reasons and for closed source there may be economic considerations especially since this is a migration from a previous closed source (probably source available) vendor to an in house solution.
And had so many stupid bugs that it looked like it was written by summer interns. Everybody I know who actually worries about actual security ran far, far away from it.
If, however, you just need https for web pages, it's good enough to get started.
Including the very, very limited environment of secure elements, and the capability of interfacing with the sometimes very specialized cryptographic accelerators/coprocessors required for adequate performance?
We're talking low double-digit kilobytes of persistent storage, and sometimes single-digit kilobytes of memory here.
Also, including a full TLS library seems like complete overkill if you only need some cryptographic primitives. These things are usually certified in expensive code and hardware audits; you essentially have to justify (in terms of adding complexity, and with it the possibility of vulnerabilities) and on top of that pay for every single line of code.
