The patch itself isn't that difficult to implement, but the problem is that along with patching the software, some applications need to look at whether or not they need to revoke and reissue various digital certificates. A digital certificate is most commonly used by a web browser to validate that a web server is secure. The website applies for a certificate with a certification authority (CA) as away to prove it is who it says it is. This certificate shows that website X is connected with a specific name, email and DNS address, which helps "prove" its identity. Codenomicon, the security firm that along with Google's Neel Mehta discovered Heartbleed, found that it was able to use the vulnerability to steal the secret keys attached to its own X.509 digital certificates. X.509 is an extremely common cryptographic protocol for digital certificates.
Codenomicon's discovery means that It's possible that any certificate issued before the Heartbleed vulnerability was patched could still be compromised. If someone was able to sneak in an grab a site's digital certificate before the site was patched, it could make changes to the certificate or masquerade another site as having a different identity.
Organizations have to make the determination whether to revoke and reissue all certificates via a CA or wait for current certificates to expire. It's not trivial to just revoke and reissue a bunch of SSL certificates, it takes time. With the number of potential certificates that need to be revoked or reissued, it could take days or weeks for every CA to catch-up for every service. If the certificates were issued when the site was still vulnerable
the reason is that those who don't do it - or plan to do it quite fast - just take the fast road and leave an attack possibility open that may come to haunt them later.
that is that your certificate (the keys) may be compromised and that your certificate itself may become untrusted