While Mt. Gox couldn't probably just take the money, there is nothing preventing him doing a rollback for example, or canceling whatever order he wants, including ones before the hack. For example, if in your account lifetime you only sent 1000 USD to your account, then by trading bitcoins you grow your account to 10000 USD, he could just say that he owns you only the original 1000 USD you sent to him, that everything else was a game. You couldn't do nothing in that case.
Would the rollback not make Mt. Gox insolvent? There were withdrawals during the incident. Unless they are funding from their own pockets, not everyone would receive all of their BTC if everyone withdrew at the same time. Correct?
He could do a partial rollback. Again, nothing forces him to treat all of it's members equally. He could give whatever money he has back to the "investors" in whatever order he pleases. Regulated financial entities, like brokers, are bound to follow certain rules which force them to treat clients equally. For example, my Forex broker is not allowed to quote different prices to different clients at one moment in time. Everybody must get the same price. Mt. Gox is not under this obligation for example. I'm not saying that he messes with the price, probably he doesn't, that would be very obvious.
What I'm saying is that Mt. Gox is not regulated like a bank or like a stock/forex dealer. The normal protections that are in place at these entities are not applicable to Mt. Gox. He is under no legal obligation to behave in fair ways. BTW, brokers are forced by regulators to keep large amount of cash with third parties OUTSIDE their reach, just in case shit like this happens. For example all US forex dealers are required to deposit $21 mil USD as guarantee in case something goes wrong.