It could also be that the public API is too large and exposes unnecessary bits that now make it hard to change even incidental, conceptually irrelevant behavior simply because some user probably relies on it. Even a clean, well documented implementation with active, capable maintainers is hard to refactor when the API is large and intrusive.
(I have no reason to believe this applies to NSS.)
I'm not sure how to interpret that statement. It could mean any of the following, or something I'm not even thinking of:
The code is inscrutable and/or the documentation is poor: That's obviously a problem.
Commits removing code are delayed/ignored: Probably also a problem, but maybe there's valid reasons for this, such as more thorough testing?
There's little cruft to remove: This would be a positive. Not having much of a mess to clean is hard to consider a problem.
Am I close with any of those?