My understanding is that instead of looking for a confirmed transaction to a bitcoin address for the amount requested, they were looking for the hash of a transaction, which apparently can be changed.
So if you rely upon the piece of information that can be changed, bad things happen, so it requires a different confirmation mechanism before letting things be automatic.
Nicely put! Yours is the briefest (accurate) explanation I've seen. There are quite a few (accurate) longer versions popping up now, most of them pretty damning to Gox.
Here's a typical one:
http://cryptolife.net/today-mt-gox-died-and-it-tried-to-take-bitcoin-with-it/It includes a reminder of how this will be spun "Of course, the mainstream media is absolutely loving this, as it gives them the chance to proclaim that bitcoin has been “hacked”."
Trust Gox to make a hash of it.