Obfuscation is "required" when either of the three following situations applies:
- The application does something which is inherently weak such as embedding a secret value in the source code.
- The application designer wants to "feel safe", and is sufficiently incompetent at cryptography so that obfuscation provides that feeling (ignorance is bliss).
- The application vendor wants to protect his "intellectual property". Code obfuscation will not ultimately prevent copiers from understanding how the code work, but it may delay their reverse-engineering efforts by a few days (not much more than that); more importantly, obfuscation is a way to make it obvious that the code contents are not meant for external inspection, which helps in obtaining legal qualification of forbidden reverse engineering in some jurisdictions.
Removing and/or obfuscating OpenSSL will not really help if the application embeds secrets or try to do "content protection"; the endeavour is hopeless anyway (that's case 1). As for case 3, there is no intellectual property to protect in AES because AES is already public, and is not the vendor's property to begin with. However, obfuscating OpenSSL (or removing it and replacing it with a homemade implementation, or any other ritualistic incantation) can go a long way towards helping the designer sleep at night; if that's what it takes to make him happy...
The underlying idea is that despite what some people strongly believe or claim, obfuscation does not work. Well, it does not break the code, the software still works after obfuscation; but it does not increase technical security against reverse-engineering, and does not improve content protection. The one point which may make obfuscation a rational decision is legal qualification; and that one does not apply to OpenSSL, which is already open-source.