It has already been shown to be wrong.

They were only looking at broadcasted transactions which were broadcasted through the network, i.e. accepted by and relayed by standard bitcoin clients.  MtGox's vulnerable transactions weren't accepted by bitcoin clients after version 0.8, and not relayed.  The transactions were only published through MtGox's API, and the researchers didn't look there.  The transactions published in their API included a signature which could be changed into a valid one by a simple modification, and this is (probably) how the theft happened.