Unless you have a lot of sites with multiple site links, it shouldn't normally take that long for security changes to replicate. What may be, though, is that the change was made after the user logged in. When a user logs in, the security token is built based on current memberships (so far as the domain controller knows). If a change is made after that, the security token isn't updated until the user logs in again.