Re: FIPS stands for reduced security
It's funny that you pay extra for a FIPS-certified device, and receive something which is less secure than the regular one.
It's not quite that simple. Yes, it's true that fixing a bug (say, heartbleed) in crypto code can invalidate FIPS certification but leave you with more secure code. Even so, since the original code went through the FIPS algorithm testing and code inspection it's still likely to be better than if it had never been certified in the first place.
Similarly, there's a FIPS version of OpenSSL. Nobody uses it - except those required to by policy. What you get is effectively an old version of OpenSSL with a bunch of features stripped out.
FIPS certification of open source code is tricky, since the end result depends so much on the compiler and build environment. There is also the question of who will pay for the certification, which is why it tends to lag the current release. What you get with the current FIPS-certified OpenSSL (it's likely to change for the next release) is the standard OpenSSL code, and a plugin module with FIPS-certified crypto. That plugin has had the algorithms which are known to be insecure removed, and must be compiled exactly as specified. It's still essentially the same OpenSSL code as everyone else uses, though.