"Yes, we can trace the changelogs in the software & note who was checking the changes and missed them, but that all can be circumvented."
Actually it can't. That's kind of the point of git.
"The fact is we don't know if Heartbleed was an honest mistake or not...we don't know who knew and when..."
We do know who and what and when, because the person who wrote it and the person who signed off on it have commented publicly about the bug.
Maybe you're thinking of Apple's "goto fail" SSL exploit where we really don't know who or what or when and probably never will because it's not likely Apple is going to release their RCS logs.