this is crazy, but why dont gox have like you have to enter your birth date or something to cash out as well. that would make this bs avoidable. they could also have a setting so you receive e-mail if someone with ip outside your country logs in.
That won't protect you from an inside job. They'll claim somebody close to you, who knew your birthday, must have done it. ("do you trust the people in your environment?")
Only thing that would help is to specify a whitelist of withdrawal addresses in advance, and only allow coins to be withdrawn to those addresses. And in order to add new addresses, have them confirmed through email and enforce a week delay (before any new address becomes whitelisted) so sudden hit & run theft is no longer possible. Well, of course a MtGox insider could still take your coins, but in this scenario it's obviously a fucked up at their end so they can be held responsible.