They certainly can place sell orders on their orderbook for coins they don't physically own by changing the numbers in their database. Cryptsy trades don't happen on the blockchain, they are just numbers in a database and need not correspond to actual coin holdings. Nobody would know they had made up some coins unless everyone tried to withdraw at once, like happened at MtGox.
This is true. Any bank real bank could also do the same. Supposedly there are safeguards in place to avoid it form happening, all kinds of shenanigans goes on in banks anyway, but it's sophisticated and wrapped in fancy catch words and elaborate fine print. The traditional financial market is supposed to be regulated, how effective the regulation is is another discussion entirely.
As for exchanges dealing with cryptocurrencies, there's no oversight whatsoever, so basically you need to trust the exchange operator. If he wants, he can inject any amount of currency in his own systems. For example, if you deposit 1 BTC to an exchange, your account will hold 1.0 BTC. But the administrator of such an exchange could adjust that number to any number he would chose. For instance, he could change it to 10.0 BTC, or 100.0 BTC, or any other number.
As long as trades are only done on the site, this will not be a problem, everybody will be trading, and everyone will be happy.
The problem starts when people wants to withdraw, and there are delays when withdrawing, because the imaginary database coins does not have a sufficient amount of real cryptocurrency to back it up, so withdrawals needs to be supported by new depositors.
Once it gets around that there are withdraw problems, more and more people become sceptical and stop using the site, and because of these news, more and more people want to withdraw their funds, but they can't because it doesn't exist. So the site 'implodes' and a lot of people use money.
There are probably ways to prove your reserves of cryptocurrencies, but if the site does nothing to prove the existance of such funds, as a user you cannot really trust the exchange not to behave unethically or inject imaginary funds to the exchange.
I do think however, that in the long run, the bad actors will be weeded out, like we saw with MtGox. There are many examples in history about companies which are comfortably big and complacent, lose their position and dwindles away, perhaps of unethical behaviour, outright fraud, poor customer service or otherwise. Sometimes such shitty companies survive for a long time, perhaps because there's little competition, but eventuallly they will be replaced.
A good rule of thumb is to never deposit more cryptocurrency to any site than you can afford to lose. Once you have deposited it, it's no longer yours. It's the site that now controls the cryptocurrency that you just deposited, and the only thing that you have is a promise that they will return the funds to you when you request it. If they do not honour the promise, there's not much you can do.
But - we have seen that both Trendon Shavers and Butterfly Labs has faced the traditional justice system, so bitcoin crooks cannot be sure that they're untouched by the law. Bitcoin is not the wild west.
It's also in the interest of an exchange operator to be honest, as this will keep him in business for a long time. But sadly, and unethical operator might get away with the ocassional 'hacked' accounts. Sometimes it could be genuine hacks, other times it could be the exchange stealing the funds themselves.
There should really be some sort of rating site, where all users of an exchange could rate their exchange, and based on this, it would be easier to select a legit exchange.
But to protect yourself, never put all your eggs in one basket. If you have a lot of bitcoins, don't put it all on a single site, and esp. not if you cannot tolerate to lose it all. And with sketchy sites with a poor reputation, don't trade with too much money..
But then we are all on the same page, and we're all jolly good friends!
