The main problem with Mt. Gox was not that the code was a mess. It was a lack of basic financial controls. Mt. Gox lacked a chief financial officer, a controller, inside auditors, outside auditors, a board of directors, an audit committee, and a compliance officer. Yet they were doing a billion dollars of transactions a year. It's not even clear that they have a general ledger listing all transactions. Lack of financial controls is usually considered an indicator of fraud. I've been making this point on bitcointalk for the last year. None of the "Bitcoin exchanges" have proper financial controls. None have an outside auditor and published audits. Yet they're handling far too much money to operate that way.
As for "The National Police Agency seems to lack the ability to analyze the bitcoin trading history of Mt. Gox", that seems to be correct. One would think that the Japanese National Police Agency would have a cyber-crime division, but they don't. In 2013, they were trying to beef up their capabilities in the computer area. This is embarassing for a developed country. Today, any sizable financial mess involves computers, and Tokyo is a major financial center. Untangling any business collapse requires computer forensics and forensic accountants.
The Tokyo police have a backup option - putting Mark Karpeles through one of their standard 23-day interrogation sessions. That's probably going to happen at some point.
Mt. Gox didn't have that high a transaction rate. They only did two or three money transactions a minute on average. They had a lot of traffic from people querying their site for market info, but that's all read-only traffic, and they had nginx and Amazon AWS to help with that.
Their use of PHP wasn't the real problem. From the leaked code, a big part of the problem seems to have been that the front-end system that talked to web users also handled the money. Banks have a separation between the front-end web system and the money system, with standard-format transaction items flowing between them. All those transaction items are logged, often by a third system that just does logging. This allows auditing. It's separation of function that's important, not the language. As far as anyone can tell, Mt. Gox had nobody on staff who understood this.
This all screams "inside job". If you're running a business that handles a lot of money and you lack financial controls, you're scared that someone will rip you off. Unless you're the one doing the ripping off.