Heartbleed was a simple programming mistake not caught by the small team of developers who manage OpenSSL and contribute to and manage the software.
As a result of the vulnerability, which has existed for 2 years, all websites using OpenSSL need to have users change their passwords and they also must order replacement SSL certificates from a Certificate Authority.
Read more on how SSL works and what a root CA is...
Unfortunately, SSL certificates cost money. They are usually in the $10-$150 range.
Considering that there are only 3 developers working on OpenSSL, and yet, most of the CA's customers will be using OpenSSL, in my mind, says that they should have developers contributing to, and auditing that codebase.
Their entire business relies on this chain of trust, so they should be auditing it. It's their job.
That's why a re-issue due to Heartbleed should be free of charge.