Looks good, I hope this result can be verified!
It has already been shown to be wrong.
They were only looking at broadcasted transactions which were broadcasted through the network, i.e. accepted by and relayed by standard bitcoin clients. MtGox's vulnerable transactions weren't accepted by bitcoin clients after version 0.8, and not relayed. The transactions were only published through MtGox's API, and the researchers didn't look there. The transactions published in their API included a signature which could be changed into a valid one by a simple modification, and this is (probably) how the theft happened.
Of course the API would have been a better source, but still they also must have appeared in the public history... that is why they had the data.