You raise an interesting point. If this was undetected for 2 years, why didn’t whoever found it just tell the people who make the software so they could fix it without the bad guys ever knowing that the security problem existed?
OpenSSL is open source. Making something like this public to the open source community means it spreads like wildfire and causes panic.
They did the right thing. They found the vulnerability, worked with the key players in the open source community to ensure the patches were pushed to affected platforms, and only after the patch has been pushed to a majority of affected platforms do they go public.
This patch was actually pushed 2 months ago. Since certificates are generated and are generally valid for at least a year and sometimes over 5, there are a lot of vulnerable certificates out there in the wild that were generated with the affected software, thus leaving software vulnerable.