Why would they support such an effort if they didn’t think it would improve security in general? It demonstrates that browser vendors agree that short-lived certificates are a good thing, which was my claim. The fact that Google uses 3 months as well still remains, by the way.
Indeed, it shows that CAs generally move very slowly. If you’ve been following the CA/B Forum at all, you’ll have noticed that browser vendors generally push for stricter requirements, while CAs are often concerned with trying to push for exceptions, extensions for deprecations (SHA-1), etc. I’m simplifying quite a bit, and there are plenty of CAs that do not fit this description, but it definitely puts things into perspective. Whenever I see a vote where the vast majority of browsers votes yes, while most CAs vote no, my alarm bells ring.
Admittedly, 60% was not exactly accurate. I seem to have forgotten that older openssl versions were not affected, which probably saved us a lot of trouble. I guesstimated based on “Linux/Unix marketshare for web servers”.
The point I wanted to make is not that no one fixed Heartbleed (almost everyone did), but that Heartbleed leaked your private key, and a large percentage of sites affected by Heartbleed did not revoke those certificates - and even if they did, revocation does not work anyway. If the average certificate lifetime at the time Heartbleed was detected would’ve been 1.5 months, we wouldn’t still have a huge number of keys in active use that could’ve been previously leaked through Heartbleed. Fixing the vulnerability would have no effect on that.
On a final note, since you agree that short-lived certificates are a good idea: Look at 90-day certificates as a compromise that pushes the industry towards automation (which would be absolutely necessary for 4-day certs), while still allowing for a manual or semi-manual process until the ecosystem matures.