...testing that would have caught this bug would have involved creating tests that virtually duplicated the system under test...
This isn't even remotely true. Each one of the 'if' statements in the function could have been tested with a certificate that was broken in the way that the statement was checking for:
foreach (cert in MyBigAssCollectionOfCerts)
I'm guessing the test team (if they had one) didn't have a tool for creating a broken cert for each case.
Thus mathematics may be defined as the subject in which we never know what we are talking about, nor whether what we are saying is true. -- Bertrand Russell