Payment protocol does not increase the lib dependencies in bitcoin-qt/bitcoind. Have you looked at the implementation? it's pretty small.
It ties the implementation to openssl lib even more, making it harder (if not impossible) to remove openssl dependency in the future.
And openssl is a much bigger mess than the bitcoin at the current stage.
As we have learned recently NSA is probably actively trying to put backdoors wherever they can.
There are reasons to suspect that they had Google to put one into Android's RNG - also an open source code.
I would say that openssl would be one of their targets as well.
But it does not even need to be NSA - it can be just a bug.
All it takes is one bug that would allow to inject an exploit via a stack overflow (e.g. via a "broken" certificate) - and there goes all your money...