OpenSSL 1.1.1h in base. OpenSSL 1.1.1l installed.

I have a FreeBSD host updated to 12.2p11.
# freebsd-update fetch
src component not installed, skipped
Looking up mirrors... 2 mirrors found.
Fetching metadata signature for 12.2-RELEASE from done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 12.2-RELEASE-p11.

I have openssl 1.1.1l installed.
# pkg info openssl
Name           : openssl
Version        : 1.1.1l,1
Installed on   : Mon Oct 11 13:39:04 2021 EDT
. . .

However, when I check the openssl version I see v 1.1.1h returned. Why? Because that is the version in base.
opensll version
OpenSSL 1.1.1h-freebsd  24 Aug 2021

How do I get v1.1.1l installed so that the system actually uses it?

A follow-on problem is that I have the same problems in the IOCAGE ails that run on this system. The have been updated and they have openssl v1.1.1l installed. However, the jails do do not used the installed openssl either; and use the vulnerable version instead. How is this fixed?
if you run p11 openssl is patched, fixed
all of the base system binaries use base openssl so you can't easily (or at all) fix base with a package
you can link ports against the port openssl if you rebuild them after installing the openssl port
so if you rebuild for example curl it will use openssl package/port