I haven't read this entire thread yet, but is this true? The TX ID can be modified and re-broadcast to effectively double-spend?
It's not true. Both versions of the transaction will have the same inputs, outputs and amounts; they are two different ways of expressing the same transaction, and only one will be accepted by the network, so there is no double-spend. No-one should care which version of the transaction gets accepted. (MtGox did care, and that's their mistake.)