Root cause analysis must have failed pretty bad. I worked at Heroku and with how much headcount they've lost my Salesforce starving the beast over the years, it's not surprising that it would take this long for them to react like this. When you scare away the best people with Salesforce policies, their Jira clone built on Salesforce, and overall being difficult to impossible to get more people on the team; yeah people will pack their shit up and leave.

Given how much of a web of interdependent and undocumented pain heroku is, I'm not surprised it's taken this long. A security team without any context to Heroku must have had to trace through everything system by system. Especially if core-db got popped.