The separation of exchanges into two categories seems to already be starting because of KTC regulations. The most compliant exchanges require so much official paperwork that it's difficult to register at them. The other less scrupulous exchanges are easier to register at but are often accused of running fractional reserves because they are never audited.
bitfinex was audited a year or so ago by a trusted community member (it's about time to do it again).
Just because an exchange doesn't do KYC/AML doesn't mean it can't (or shouldn't) be audited.
I don't think this practice is remotely acceptable for the kind of volume these exchanges go through.
They undoubtedly have the money to hire a proper auditing firm, and I think the only reason they get away with these kinds of substandard practices while still keeping customers is the fact that a meltdown has not happened yet, and regulated exchanges are extremely slow to emerge in the US.