Kiba, while you are correct that EVERYONE should use 2 factor...this is not why Bitcoinica was hacked.
Bitcoinica was hacked (this time) because they had their mtgox API key on the server which the hacker was able to exploit.
I'm not sure if its possible to do 2 factor with the API.
My understanding is that the API key was the master password for LastPass, which allowed the hacker access to the mtgox account with a password. No 2FA was used on the mtgox account, because LastPass was considered secure. This is what I have gathered.