I guess common sense comes to play here. I for one fully trust Jed, so if he told me someone used my account by trying out 3 different passwords I'd pretty much accept full responsibility. But that is not the case here, there was a dictionary attack so either the site doesn't allow weak passwords or it has to have measures to prevent these attacks. Or it is the site owner responsibility.
It's not the site owner responsibility. I don't want to blame the victim either (only the criminals are to blame), but MtGox doesn't have any obligation whatsoever of refunding him. Unless they had explicitly sold such guarantees, they don't have any obligation in keeping our funds protected at all. It's our choice to trust or not in their capacity to do so.
It is still the site owner
responsibility. I'm not saying there's an
obligation of refunding any losses, that's where the contracts, insurances and premiums come in, but rather that only the site owner could have prevented this, and I'm sure in this case Jed has already closed this particular hole.
If there's any obligation, legal, moral or otherwise, I'm in no position to say. Having happened to me, I would ask for a refund but not require one, as you put it, and very well, I'm the one that trusted the site in the first place. I would go so far as to say Jed should have an opt-in system that would raise the fee per transaction for those who chose to allow it, and the extra fees would go to a fund to cover just these situations, but then it would become very hard to separate real cases from scams, and I don't think Jed wants to become a lawyer (assuming he's not one already)
You can't be serious...
