If there's a single systemic problem with HTTPS, it's that we're still largely relying on Certificate Authorities which charge a lot of money. The expense and complexity discourages people from using SSL more ubiquitously.
I don't think that's really it - I can get as many commercial-grade SSL certs for 7 bucks as I want. I got a couple at Namecheap for $2 when they were running a special. That's a large coffee at McDonald's. I've purchased 5-year wildcards for $150.
How cheap does it need to be to be usable? For most people setting up a CA takes more time than $7 is worth.
If there's an immediate problem, it's the default root stores. Why would I trust the US DoD to sign certs for Google, or, heck, even my own mail server? A default install of most browsers and OS's will. Oh, but we should be afraid of the NSA exploiting heartbleed? Heh, ceilingcat don't need no protocol exploits.