Fair enough, but bear in mind that StartSSL's revocation fee is lower than what most certificate providers charge as a starting price. Personally, I'm fine with taking the risk and eating the $25 cost if something unexpected happens.
No company should be incentivising companies to not revoke compromised certificates. Even if the cost is modest. It's more about not patronizing a company with such a bad business model than it is about the dollar cost.
StartSSL's business model: making things free that don't cost them measurable money, and charging for transactions that cost them money.
An exception from that rule in the wake of Heartbleed would arguably have been appropriate, but the business model as such is in no way bad. If the whole SSL industry worked in a way that put price and cost in proportion, there would be no need for Let's Encrypt.
Not encrypting is better than not revoking a compromised certificate. A compromised certificate gives the user the impression that the connection is secure when it's security is compromised. A plaintext connection makes no false claims.
