Yeah--it should be a no-brainer. Running such critical code through as many static analysis tools you can get your hands on should be standard practice. I wonder why Coverity and the rest havent taken it upon themselves. I remember a story about Coverity running their tool on random open source projects and emailing them about issues they found. Maybe OpenSSL is too far in the hole to start that now.

There is some public work on this:

http://bap.ece.cmu.edu/

Unfortunately, most people do not find this to be terribly exciting. Worse still, there is almost no demand for it; most programmers want to quickly hack out something cool, and by the time they begin thinking about security it is too late.