The way I understand Mt. Gox is that they have a giant pool of real btc. They are the "owner" of these btc. So, for instance, if your account says you have 3000 btc, then your 3000 is just an entry in a database, and the only time that actually becomes a bitcoin is when you cash out the coins from Mt. Gox. At that point, they give you the amount of coins that you requested to be withdrawn from their giant btc pool. So, in other words, there aren't actually any specific bitcoins that are assigned to you specifically. You essentially own an IOU for 3000 bitcoins that you can cash out at any time. That's also why they can roll back transactions, because no bitcoins are actually transfered in their system, only database entries that state who owns how many bitcoins. That's why I think someone could update an account's bitcoins balance to any number, and then sell them on the market, because you're not really transferring bitcoins. You're transferring IOUs for bitcoins in a database.

Judging by the amateur security issues they've had lately, I think it's highly unlikely that they have the right controls in place to catch something like that automatically.