Scott Taylor talks about how is_ssl() is inadequate in load-balanced environments in a recent blog post. Scott touches on recent issues with the New York Times recent upgrade to HTTPS and shares some knowledge. I think the last sentence in his post is a blunt, but accurate summary after reading his post:
If you search the WP codebase for is_ssl(), your stomach might sink and you might be convinced of the need for is_ssl() to be patched universally.