Forging a SSL cert only enables the possibility of a man-in-the-middle attack from being transparently obvious when it's no longer signed properly. However, you still have to accept the change in certificate for the forged-SSL MIM attack to work. Did you log in to MtGox from strange internet connections in shady places? Or did MtGox get their DNS forged as well?
No, a forged cert from DigiNotar would allow to transparently execute a MiTM attack against an end-user, without her seeing any security warning whatsoever. Except in 1 scenario, see below...
Is there actually a browser that will remember a certificate and complain if that cert is replaced with a different valid CA-signed cert?
...only 1 browser would warn you: Chrome, because Google hard-coded hashes of the public keys for a small number of high-profile websites certificates keys. This is called
public key pinning.
Mozilla is considering pinning keys on first site access. So the only way to MITM false certs is during the first access (which makes it same to ssh's flaw on server fingerprint (aka ~/.ssh/known_hosts)).
DigiNotar is a clusterfuck, regardless.