I've known several web developer "enthusiasts" over the years who know just enough PHP (usually it's PHP, but this applies to other technologies as well) to build things that mostly work and feel confident that they can solve anything with "a little PHP." Working mostly alone, these people prefer to spend their time building constantly, and little time learning or keeping up with current best practices (or in this case, cryptography).
There are a large number of companies (many of them doing very well) built by people like this, and even when they bring on other developers, no one has the courage to tell the original developer (who is often CEO) that their code sucks and needs to be scrapped completely. They keep throwing more crap onto the pile because the machine "works" and customers are demanding new features. The original (incompetent) developer feels a sense of pride for his or her work, and nothing short of total failure (in this case, spectacular failure) will convince them that their work is anything less than genius.
It's unfortunate that some companies thrive in situations like this (it sets them up for failure), but it happens all the time.
I don't know Mark personally, but from everything I've read from him over the years, he seems to fit the description above. It doesn't necessarily mean he's a terrible person or a thief (he could be that as well, but I have no knowledge to prove one way or the other). It just means he got in over his head, and kept the site running on deeply flawed assumptions and implementations (e.g., no standard accounting, little understanding of security, etc). It's a shame that people kept coming back to Mt. Gox and entrusted the site with their money, even after those behind Mt. Gox proved themselves to be incompetent over and over again.
Is it sad? Yes. Is it surprising? The only surprising thing is how people kept going back.
As for the missing and suddenly reappearing coins, I honestly think they just had absolutely no idea where everything was. I've heard people describe Mt. Gox's infrastructure as a hodgepodge of random scripts and servers duct-taped together, and it's easy to imagine a dozen hard drives filled with an unorganized mess of Bitcoin wallets, private keys, database dumps, etc. I believe they're honestly trying to pick up the pieces, but the pieces are scattered everywhere.
Ironically, from what I understand, PHP was originally intended to be little more than a template language. OOP and other features were added later to allow PHP to function more like a "proper" programming language. Unfortunately, it still carries some oddities from the early days (procedural and OOP ways to do many things, the default use of PHP opening/closing tags even in scripts where HTML/markup may not be applicable, etc.).
I'm happy that PHP got me interested in programming, and I think it still captures the interest of otherwise non-programmers today. It still empowers people to do amazing things without forcing all of the complexities (or best practices) of other languages. I don't fault PHP for the situations described above (incompetent people getting in over their heads and turning a blind eye to best practices), but many of the features that make PHP accessible to these kinds of people (including myself years ago) don't exactly help encourage or enforce best practices. The same could be said for NodeJS and others as you say.
The current incarnations of PHP, NodeJS, and others certainly allow for more disciplined and well-designed code, but the culture/community behind a language is shaped by much more than just the current state-of-the-art.
This story should be a wake-up call for any entrepreneur/developer to never become complacent, even when things are going well.
Would you prefer successful company run by incompetent people or unsuccessful company run by competent people?