It's worth pointing out that at the scale mentioned, there's no reason that the "paying customer" had to be The United States National Security Agency. It was a published algorithm, and OpenSSL is used in countless commercial projects. It would have been entirely reasonable for one of these to have come to OpenSSL requesting implementation (albeit as part of a NSA-funded internal project with a 400% markup), and the request would have seemed entirely reasonable.
I don't think you can tar the OpenSSL folks with this without much better evidence.
OTOH, the fact that the delivered code had a bug rendering it unusable suggests whoever requested it didn't really need to use it – or they'd have discovered the bug earlier. That's vaguely suggestive the client may have paid for its inclusion for mere show, or as a favor for another entity.
I wonder: is the client which paid for the non-functional implementation, which if I understand correctly is now scheduled for deletion rather than fix, entitled to a refund?
"Implement ALL the algoirthms" sounds like a requirement drafted by somebody enamoured of the standard rather than by somebody looking at what they were actually going to use.
"Our product is compatible with all of <impressive sounding standard>" may, indeed, have been worth the money to the customer even if the value was marketing rather than technoloogy
I don't think you can tar the OpenSSL folks with this without much better evidence.