Hello Rick,
In regards to your questions concerning the 'hidden filter' (a.k.a. Intersect Filter); that filter may be viewed via the SSE Reports found on KM: HOWTO52986. Import the attached .xml report, and you will find the Patch Filter report under the imported location > SSE Reports > Solutions > Patch Management > Patch Filters.
From this report; search for the bulletin, right-click > Open in new window, and view the listed vulnerable clients. This is fairly cut-and-dry, for if it is not listed in this report, it is not vulnerable. You are unable to modify or edit this report, for it is a compilation of Client Patch Inventories compared to the IsApplicable Rules for each Software Update (hence the name 'Intersect Filter).
In order for the clients to display as vulnerable to an update; the client's Patch Inventory must return and make the necessary resource associations to the Software Update's IsApplicable Rule. Otherwise, the report will not show the vulnerability exists as per Roman's comment above.
If you are ever in question of whether or not the clients are returning Patch Inventory; review KM: HOWTO60750, for it details how to ensure that process is completing.
Hope this helps,
Joshua