That's actually a quite easy to understand problem as well.
The difference is pretty major. It's believable that someone forgot to consider the case where a new certificate was negotiated. It's downright inconceivable that no one tested whether a bad certificate failed validation. That's like selling a pregnancy test without testing what happens if the person isn't pregnant.
Compare the reporting of this to the Chrome vulnerability in TLS patched yesterday... https://news.ycombinator.com/item?id=7295785