I wonder how many of those free certificates were potentially compromised by heartbleed because the owners don't want to pay to get new "free" certificates.
Indeed, and it's even worse than you suggested. Normally what you would want to do after a vulnerability like heartbleed that put your private key at risk* is
1: obtain a new certificate
2: install the new certificate
3: revoke the old certificate
Unfortunately as a startssl free user you can't easilly do that. Not only do revocations cost money, they also have stupid policies about duplicate certificates which mean you have to either buy the new cert from a different CA, upgrade to the paid/verified startssl tier** or incur substantial downtime by revoking the old certificate first.
I bet a lot of people just said screw it and waited until the certificate expired before rekeying (and possiblly by the time the cert did expire had forgotten about the issue and didn't rekey then either).
*AIUI heartbleed wasn't a particually easy vulnerability to actually expolit to get the key, it's not like say the Debian openssl vulnerability where the keys were unquestionablly compromised.
**a class 2 (paid/verified) cert and a class 1 (free) cert in the same name apparrently don't count as duplicates because they are issued from different intermediates and even if they did paid certs unlike free ones allow secondary names which works arround the issue.