I haven't read this entire thread yet, but is this true? The TX ID can be modified and re-broadcast to effectively double-spend?
It's not true. Both versions of the transaction will have the same inputs, outputs and amounts; they are two different ways of expressing the same transaction, and only one will be accepted by the network, so there is no double-spend. No-one should care which version of the transaction gets accepted. (MtGox did care, and that's their mistake.)
I think this txid mutability doesn't cause double-spend by itself. But if the sender (i.e. Mt. Gox) thinks (erroneously) the coins didn't arrive because they didn't see the txid and somebody complained and they did the spend again, then it depends. If the sending address still holds enough coin, or if they use a different address then the sender does a double-spend. It could be that somebody acquired knowledge of their accounting flaw and used it to their advantage.