I got this wrong. Looking at the reference provided (which was one of the pages that I read carefully before choosing an option) I found that the code example for restoring on a different machine included
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '*rt@40(FL&dasl1';
-- Recreate the server certificate by using the original server certificate backup file.
-- The password must be the same as the password that was used when the backup was created.
CREATE CERTIFICATE TestSQLServerCert
FROM FILE = 'TestSQLServerCert'
WITH PRIVATE KEY
FILE = 'SQLPrivateKeyFile',
DECRYPTION BY PASSWORD = '*rt@40(FL&dasl1'
That second comment line very clearly states that the password is required as well as the certificate; the password is used twice, once for MKE and once in restoring the certificate. So it's pretty clear that either the "correct" answer is wrong or the page referenced contains a big error. I also guessed that the SQLPrivateKeyFile was an encrypted file also required, since the qualifier of the private key description is DECRYPTION BY PASSWORD and not ENCRYPTION BY PASSWORD.
The explanation provided for the answer is just a simple restatement of the answer, which makes it an utterly pointless explanation - it would have been nice to have an explanation that made some attempt to explain the answer rather than just repeat it.
Probably I'm misinterpreting something here, but I can't see what. Is anyone willing and able to explain it to me, please?