Asking once again. Do you use a Yubikey on Mt.Gox?
As Ive said in the past, I do not believe that they improve security.
They do not prevent every kind of attack but they stop entire categories of attacks. You are wrong on this one and should think about it a bit more.
They stop entire categories of attacks which not everyone is especially prone to. SSO is a nice to have and very worthwhile in a lot of cases, but it introduce yet another layer of expense and complexity. I don't use one at my exchange but I am quite careful about my username, password, access methods, etc.
Most importantly, I do consider the funds I have at my exchange to be disposable. I consider the risk from incompetence, dishonesty, and government intervention to put the assets I have at my exchange at risk more than my authentication being compromised. A good number of people would be well advised to NOT follow suite here.
The yubikey is the "something you have" in two-factor authentication. Even if Diablo was successfully phished for his password by a fake email, the yubikey credentials would also be needed in order to log in. Then there is a second passkey in the yubikey needed to execute trades. The answer is, unless MtGox is still deeply hacked and PwNd from the inside and the cracker is going after $60 accounts first, the yubikey requirement would have prevented an attacker from logging in and executing trades or withdraws.
Mtgox should have audit logging, and be able to see when the IP logged in and if they used Diablo's login. Ideally a log of the last several logins and IPs should be shown on your user account page too - gmail can even do this. If the hackers used Diablo's username and password, and it is long and hard to crack as Diablo indicates, then it isn't MtGox's fault, as Diablo's credentials were obtained some other way.