A non-paranoid, non conspirationist option would be that deploying software updates is delayed until proper testing can be done. Gmail have *a lot* of users, and it's very probable not everyone even uses the same gmail, because of stuff like A/B testing and other complications that can arise with such a large architecture. Maintaining this mess usually isn't done in a "I see something bad, I fix it" fashion but more in a "we've got a batch of things to do, let's lump them together in a milestone" kind of way.
Of course security issue should be treated faster, but it's also possible that Google used that to monitor who tried to abuse it. There's a large set of options that can explain the delay. The exploit being released for anyone to use makes is more important to fix now.
That's a somewhat naive view on things, and the reality is probably more complex, but as a software developer I see some reasons to not deploy a fix ASAP. It's even possible the fix they deployed *now* is not the final one but only a quick mitigation.