How do you figure it's mtgox's fault?

It's highly improbable that the compromise happened at mtgox's end.  Most likely the user's password was phished or otherwise captured.  

Mtgox offers 2 factor authentication, the OP didn't use it.  I suppose mtgox might be better off *forcing* 2 factor auth on everyone, but not everyone has a google-authenticator capable device or a yubikey.