I think I have found another paradox within the rules that bears closing.
Under account privileges p38 of Matrix, a security decker can automatically Locate Decker and automatically Trace MXP address.
That means within three system actions (one to spot the intruding decker, one to trace the virtual origin and then one to trace the decker's physical jackpoint), the decker is traced.
Why have the Trace utility if this is the case? Or the Trace IC?
Each of these requiring a lengthy location cycle. ?

It requires a lot of effort to spoof a jackpoint for more than D6 minutes so I believe this an oversight. Otherwise any host with a sec decker means the run is doomed to failure, big unfriendly men with weapons will be kicking in the door post haste. doubly so if you are fool enough to physically intrude into a compound.

I have checked the usual sources without correction.

For my part I find the Trace MXP address system op simply to powerful but to remove it means any decker cannot stealthily trace to source, a basic right for many a PC code slinger.
With it however removes decking as a viable career option.
Trace MXP address is a interrogation op requiring five successes to accomplish, so the first option is to remove it from the security account privileges.
However that only slows down the inevitable.
The main problem is that the system operation fails to take into account the masking and sleaze running on the deckers deck.

Ideas on how to correct this?

I would say that using the system commands only yields the 'surface' information. If you're legitimatly logged in using a legitimate connection, you just know where the other person is, because the other person told the computer where they were. But if you sleaze your way into the system with half a dozen redirects, then when the security decker asks the host "where is that guy" the computer responds with what it's been told, which is probably "where the sun don't shine." Then the decker has to do some work to dig through the re-directs and try to figure out where the other person is.

Looking at the rules, tracking someone down isn't really an instant-success thing. Automatic operations only let you forgo the System Test part of the operation (unless more successes grant bonuses, rather than indicating pass/fail). All other tests are still required. Now, admittedly, they'll be rolling fairly high because they have professional training and the resources of a mainframe host behind them - but you've still got a number of chances to avoid it.

To Locate Decker, the deckhound still has to make a successful Sensor test (where you benefit from Masking and Sleaze) to find you in the first place. Passing that just lets them know you're there and burns a Complex action. And if you're paranoid or realize you've been spotted, you can attempt to hide again - forcing the security decker to start from scratch. After spotting you, they have to run a successful Scan Icon operation (where you also benefit from Masking and Sleaze) to get your MXP address at all. That's just a Simple action, but still essentially another whole pass, because tracing you requires a Complex. And they have to make the roll because it's a skill check, rather than a System test. Then they can finally get around to trying to trace the origin of your MXP address - burning more Complex actions. So that's at least three initiative passes before they can pinpoint you virtually (four, if the want the physical location).

Also, security deckers only have Security accounts on their own systems, not on the local or regional telecom grids as a whole. So if the target's MXP originates outside of their host, it would be logical to require the deckhound to make the trace as a standard operation (with Systems Test) because the registration info resides on a system they don't have access to. Even today, you can't (normally) just call up the ISP you traced an IP address to and demand they tell you who it belongs to, no matter who you are or what the other party is doing. It's even less likely in the SR universe because the telco(s) in question could very well be business competitors with whoever's making the request and highly unlikely to cooperate.

Additionally, the security decker has to weigh the benefits of tracking the intruder down vs. all of his other options. Time spent tracing you themselves (vs using IC) is time not spent stopping you from doing whatever it is you're up to. And, often, it's more effective/beneficial for them to do other things: blocking your operations, restricting your icon, attacking you, siccing IC on you, killing your fake account, or any number of other things. Plus, security deckers don't get bonuses for calling out the sec-goons to shoot you. Security personnel, property damage, and equipment cost time and money. Matrix operations are faster, cheaper, protected under extraterritoriality laws, and won't upset the other worker bees. Not to mention the deckhound's personal reputation is on the line here. Does he want to be the guy who lets some pissant shadowrunner scare him into calling out the big guns, or does he want to be the hero who takes out the nasty ol' datathieves single-handedly?

There are some good points made, I particularly like the fact the sec decker would need to trace back to the home grid and there find the physical location.

However there are a couple of problems with the continuity of the logic when it hits play.
Firstly, sec deckers spend almost all of their time trying to locate intruders, in some case they are tripped by security tally. Taking it as given that they actually need to locate a decker first thats about three complex actions to find a masking 6/sleaze six icon.
Most sec deckers will have three action per turn, so thats one turn free.
Then unless the intruding decker knows to evade detect or does as a matter of course, the sec decker now gets to scan the icon with an average of one to two success with hacking pool. (Again this is with masking 6/sleaze six and the sec decker with a rating 6 utility.)
Now comes the trace MXP address.
Should the sec decker be Gridsec, he has full access to the seattle RTG and LTGS, bad news for the decker as the mandate for Gridsec is to get an arrest.
If the decker is physically intruding on a corp compound the sec decker of any strip can locate the jackpoint.
At best once the sec decker has the MXP address the intruding decker is a jurisdiction headache away from being caught.

Now why would the sec decker take this approach? Because he loses nothing to do so.
He isn't in cyber combat, he can wait for the intruding decker to be entangled with IC and the MXP address means he practically has the criminal beaten long term.
Then he can raise the alarm and mix it up after covering his behind.

I agree not every sec decker would act like this and many would try to stop what ever the decker is doing now and worry about the meat later.

The combo seems pretty sure fire for two initiative turns work without giving the PC decker even a hint that this doom is befalling them. Should they fail their free sensor roll of course.
The Track utility takes about as long and has more risk involved.

I believe we discussed this in the previous two posts?
To clarify after the Locate Decker and Scan icon, Trace MXP address is an interrogation action on the home grid which is automatic.
TonkaTuff I think has highlighted the start of the problem being Scan icon as this gives the MXP address, this combined with Trace MXP address allows system operations to replace the Track utility.

I hesitantly put forward that the MXP address information be removed from the scan icon options. Solves the problem.