Official answer.

VMware uses supported versions of OpenSSL libraries. The 1.1.1 line is still supported (through later this year), and in fact many VMware products are using the 1.0.2 line (via an extended support contract with OpenSSL) and in the midst of migrating to the 3.0 line. I do not expect much adoption of the 3.1 line due to it having a shorter support lifetime than the 3.0 line's long-term support (3.1's only major feature is moving from FIPS 140-2 to FIPS 140-3).

There is no practical benefit to being on the latest library version (beyond shiny number bragging rights) - latest 1.0.2 / 1.1.1 / 3.0 / 3.1 are all equally secure with suitable patch releases. We do try to update regularly, but the priority for releases is more severe issues (for example, Workstation 17.0.2 includes fixes for CVSS 9.3 issues); we would not delay a release containing critical fixes to include moderate fixes in OpenSSL.

The more important question here is why Workstation is on 1.1.1q instead of the latest 1.1.1t. The answer is that the most severe issues are "moderate" which we expect to address in the next release (for Workstation, major or minor number). Side note: OpenSSL does have one "high" issue related to CRLs, but Workstation does not process CRLs so it does not apply. The official VMware policy is here:

https://www.vmware.com/support/policies/security_response.html

and you can examine OpenSSL's view of severities (in the 1.1.1 line) here:

https://www.openssl.org/news/vulnerabilities-1.1.1.html