I'm wondering, does this just test if the bug is present?
Yes.
If so, that means if the file with the bug is updated, but the certificate is not updated, it might give a false negative…
Not really a false negative because the vulnerability is not any more there. But yeh if your server was once vulnerable, you should consider the private key of the certificate as stolen and potentially even users' cookies/passwords. That's why I assume bitcointalk.org never had this vulnerability because I am sure theymos would have made a topic about it then (with a warning to change our passwords to be sure.)