If BitGo was compromised, 1 of the 2 remaining keys still must be used to sign the transaction. BitGo has no access without either of the 2 keys that Bitfinex controls.
Sorry, wasn't clear. I assumed it was obvious that bitfinex's online key was also compromised, no matter what happened with BitGo, whether their key(s) were stolen or if their api was abused.