The .cer file contains (it is the common case) only the X509 certificate in an unencrypted form. In that case, no password is required to decode the certificate. I suppose the X509Certificate2 constructor tries to determine the encoding format of the Byte[] parameter and ignore the password parameter when it is not required. And it is more than likely that, after being created, the PrivateKey property of the object is null.

When loading a .cer file you should use the constructor which takes only 1 Byte[] parameter. The documentation of that constructor clearly specifies the supported data formats:

This constructor creates a new X509Certificate2 object using certificate information from a byte array. The byte array can be binary (DER) encoded or Base64-encoded X.509 data. The byte array can also be a PKCS7 (Authenticode) signed file; the signer certificate is used to create the object.

The PKCS#12 format (.p12 or .pfx file) is a container format for certificates and private keys. In that case the password is required to decrypt the encrypted private key. Actually the behaviour with a PKCS#12 file is specified in the The X509Certificate2 constructor documentation:

This constructor is used with PKCS12 (PFX) files that contain the certificate's private key. Calling this constructor with the correct password decrypts the private key and saves it to a key container.