You hit the nail on the head when speaking of Heartbleed and Shellhock. I have to think that the I.T. community's rapid reaction to HeartBleed was notable. I feel like that took a lot of major organizations by surprise which resulted in critical change's being implemented to ensure that everyone felt comfortable their organizations were protected.
What I want to point out is the reaction from the media and the consensus of colleagues at different organizations is that Shellshock was viewed as less of a threat by leadership. Now, one could say that this was due to the timing and the understanding that the organizations now know how to deal with this problem. I think the issue was that the support was just not there for which is, and was a more critical issue of the ShellShock exploit.
It all comes down to communication and ensuring the risks are presented in a way that makes sense, and that the people that need to be talking, start talking. No 12-24 month compliance checks, it's a get it done now mentality that needs to be understood for organizations to protect themselves.