No need to wonder, I do know what OpenSSL is.  And as someone who is a 40+ year IT professional and took and passed the CISSP security professional exam, I’m also aware that just because software has a vulnerability does not mean that is exploitable in every use case.

Yes you have a valid question as to why they used these components but very few of here can shed any light about those decisions, if the defects are applicable to VMware’s use of the software, and what plans are. This is a user to user forum with the occasional look in by VMware engineers, complicated by VMware not telling anyone about future plans  

 If you’re concerned, I still maintain that he best course of action is to raise a support case with VMware or contact their security response team.  From experience, your case will be helped if you can find an instance where the vulnerabilities listed can be exploited in Workstation or VMware Tools. Nothing helps change like an actively exploitable vulnerability. 

My comment in my prior post about going to VMware with concrete examples of exploits rather than just saying they’re using old components was a bit strong and I do apologize for that.