That is because among the six file system scanners implemented in the plugin only one checks for malicious code, the other scanners only check for the integrity of the files and it only applies for the WordPress core files, everything inside the content folder is ignored.
Now, for the malware scanner it only runs when the user executes it, it does not runs in the background you need to click a button per to execute it from the administrator. If you ran the malware scanner and it did not report any malicious code then it is because SiteCheck (which is the service that powers the Malware Scan page) does not checks the content of the files (because that will require to have full access to your hosting account, and we are not requesting that level of access from the plugin) but instead it checks the rendered code of those files, so if the malware is smart enough to hide from a web scanner then it will not be flagged by the plugin.
The story is different if you are using the “Server Side Scanner” which is another service offered by Sucuri.net but it is a premium service, so you will need to pay for it to use it.
If you do not mind I would appreciate to have a copy of the malware that you found in that “index.php” file, I will forward it to our research team and it will be added to our signature’s database.