There are always programming errors in software code. It is only a question of how serious and how many users are affected. In the case of the Heartbleed bug, it is extremely serious and very widespread due to the massive adoption of the open-source OpenSSL code. The bug allows private information to be accessible.
OpenSSL is used for cryptographic security of information in places like 1) the "s" in https:// for secured website access, 2) networking equipment such as home routers and Internet routers, 3) devices such as computers, smartphones and tablets. There are millions of places that will require the software fix, including servers, routers, consumer devices and their apps. It is hard to imagine that 100% of these devices will be fixed. If human ingenuity were 100%, the Heartbleed bug would not have existed in the first place.
At the time of writing (Apr/2014), the CRA has suspended its online services at the peak of the income tax filing season. So far, the CRA has revealed that 900 SIN numbers have been exposed to theft as a result of Heartbleed. The CRA issued a statement saying the affected people will be receiving a registered letter from the CRA. The CRA is criticized for failing to shut down its online services soon enough after the Heartbleed bug was announced by security researchers who discovered the vulnerability.
Apparently, the NSA knew and exploited Heartbleed for at least 2 years. The NSA has no moral obligation to inform netizens and has no legal constraints on gathering intelligence and information. There are conspiracy theories that the NSA planted the bug, or paid someone do it. There are also conspiracy theories that the NSA has backdoors into various cryptographic algorithms such as RSA and SHA-1.
On a related thought, Bitcoin is a crypto-currency implemented with open-source software. It is only a matter of time before nefarious code and/or programming errors will be exposed for all cyrpto-currencies including Bitcoin. The collapse of the Mt. Gox Bitcoin exchange is already evidence of software errors leading to theft and/or loss of Bitcoins.