The 800'000 number is the sum of all BTC account balances in the leaked database.  It is basically the total BTC that clients deposited over MtGOX's history, minus all the BTC that they have withdrawn.

If indeed MtGOX never had the 600'000+ coins that it claims to have lost, we would have to conclude that the database has been doctored at some point; and in that case it is hard to say that the trades of non-existent coins by Joe and Bill were real.

However, most people seem to agree that the 800'000 figure is correct, and the 600'000+ coins were indeed lost.  But, even with this assumption, the trades by Joe and Bill were not quite real, since the theft or embezzlement must have happened at least a year ago.  The artificial 10% overprice that MyGOX maintained for a long time since then was at odds with its real situation, for example; so it is questionable whether the trading in that period is "real".

From the creditor meeting papers, I understand that Kobayashi has already transferred to an address of his own the 200'000+ coins that Mark "found". 

But, even now, no one seems to know when the other 600'000 disappeared, nor the addresses where they were transferred to.  Presumably Kobayashi and/or the police will get from Mark the legitimate MtGOX addresses that held the coins before they disappeared; but how could one prove that the addresses where they were transferred to did NOT belong to Mark (or any other suspect)?

Even if the 600'000+ coins were embezzled, rather than stolen by an external hacker, it will be hard to prove that (unless the embezzler was really incompetent at hiding his tracks.)  An embezzler could have written down the private keys on a slip of paper and handed it over to an external accomplice who issued the fatal transaction.  That leak would leave no trace in any logs, and it would be impossible to connect the embezzler to that transaction.