No need to to go overboard. If Mt.Gox had NO security precautions then there passwords would have been in the clear, OR they would have actually lost the bitcoins out of their back end wallet.
Some of the older passwords are damn close; they're hashed with unsalted MD5, which is not exactly high-grade security. They seem to have missed obvious security measures whenever those would require significant effort. I'm more paranoid than this about security in toy web applications, for goodness sake!
Just because tradehill hasn't been compromised means absolutely nothing. Why would anybody even bother? All the current traders are on Mt. Gox. since you have no idea what security Tradehill has, then implying that they are doing something better then Mt. Gox is just spreading a false sense of security.
An entirely founded sense of security, thank you very much. Similar CSRF vulnerabilities have been found on some of the other smaller sites - there are people actually looking for them now. (It appears from a quick glance that Tradehill have CSRF protection on at least their login and registration forms, so they're aware of the issue.) Sure, it's impossible to be entirely certain how secure other aspects of the site are, but it's a promising sign that they've taken this seriously.