But take OpenSSL as an example of a critical security program. Nothing in the usage practice suggests not upgrading the compiler, or even going to the next version of libc.

Many open-source programs can be security-critical (any network-facing daemon, for instance), and there's nothing which ties them to a specific compiler.

"security-critical" means different things to different people.

For some (many?), the failure of a security-critical system means unauthorised access to information.

For some, the failure of a security-critical system means people could die.

In the latter case (e.g. medical devices), having a stable environment is far more important than having the latest version.

I usually hear the latter type of system described as "safety-critical" or "life-critical". You're right that it's an entirely different world, though.

It is the difference between security critical and mission critical.