I came across SoftHSM2 from OpenDNSSec(BSD license) which is a drop-in replacement for HSM except that SoftHSM2 only lacks physical security. Also, being the fact that PKCS#11 is the standard interface to work with both SoftHSM2 and HSM/TPM without any changes in code, it stands as a good choice to me. Thus, it would allow using the same hardware with and without TPM part mounted running identical binaries.
Please suggest to me, the use of SoftHSM2 in commercial products provided that the physical security of the product is taken care of by other means, and also could you name some products using SoftHSM2 already? Also, Are there any vulnerabilities found in softHSM2, at-least I could not find any?