Fair enough, but bear in mind that StartSSL's revocation fee is lower than what most certificate providers charge as a starting price. Personally, I'm fine with taking the risk and eating the $25 cost if something unexpected happens.
No company should be incentivising companies to not revoke compromised certificates. Even if the cost is modest. It's more about not patronizing a company with such a bad business model than it is about the dollar cost.
StartSSL's business model: making things free that don't cost them measurable money, and charging for transactions that cost them money.
An exception from that rule in the wake of Heartbleed would arguably have been appropriate, but the business model as such is in no way bad. If the whole SSL industry worked in a way that put price and cost in proportion, there would be no need for Let's Encrypt.
Not encrypting is better than not revoking a compromised certificate. A compromised certificate gives the user the impression that the connection is secure when it's security is compromised. A plaintext connection makes no false claims.
I think it's quite understandable that they charge for things that cost them money, but keep the rest free. You can't really expect for them to give out for free something that has a cost for them.
On top of the revocation issues, StartSSL is only free for personal use; if you intend to obtain a cert for a small business or some other non-personal purpose, they won't give you the cert. I also recall StartSSL being incredibly difficult for those who only have a P.O. box for a mailing address (as was the case for me; my apartment didn't have a mailbox, so I had to receive all mail at a P.O. box, which StartSSL didn't like).
Be aware that the free cert does not support certificate transparancy. This will lead some browsers - notably chrome but I imagine there are/will be others - to give a user warning about SSL integrity. There are supposedly some workarounds [1] but no official support.
