Using ELB to achieve this means they are doing SSL termination on the ELB itself which means the request is no longer encrypted within heroku, unless of course they are using another cert for the connection between ELB->dynos.
But if the instances also live on ec2 (which they do in the heroku case), you would still run into the issue of needing separate instances to terminate SSL on for each SSL enabled site (with the 1 IP limit). It would seem much more economical for them to terminate at the ELB level and only pay for an ELB per customer.
I guess alternatively you could leverage the funky port forwarding hack on elb and put each ssl site on a different backend port. but that just seems like a mess.