Fortunately we don't live in the wild west. If the bank forgets to lock its vault it's not free money season.
He didn't just find some way to, say, outsmart the random number generator. (And I think that would be fine: casinos encourage people to think they have founds ways to beat the system, because they keep on trying them, putting more money in the casinos' pockets. If someone manages to somehow actually beat the system, good for him.) He found a bug in the payout calculator.
If you figure out a way to press buttons on an ATM that makes your withdrawal credited as a deposit, it's neither legal or right to repeatedly exploit that. There is no "gee, I really thought it meant to do that."
You are forcing people to make assumptions about the intent of a system with a defined interface.
An ATM has but one function, assumptions about those seem reasonable (though I think laws against using them without those assumptions are unnecessary, as ATM operators are incentivized already to prevent circumstances in which they lose money). When you generalize that to remote computers, or touchscreen gaming, it becomes less reasonable to force users of those systems to assume the intent of the programmer to stay out of jail.
It's a much more elegant and workable and fair solution to simply let the rule lie with the code, which is defined formally, and let the potential negative consequences of deploying code that is not fully understood incentivize people to be careful about what they deploy for interaction with the general public (be it slots, ATMs, or networked computers).
(An aside, PLEASE stop with the terrible physical analogies about locks and vaults. They are simple straw man arguments. It is impossible to break a lock by force over the internet, or to rob a web service at gunpoint. The intent of a locked door is a safe and reasonable assumption to make, and to punish others for not making. That is simply not so on the internet - a perfect example being spidering email addresses from a public web service that was expressly configured to emit them.)
He didn't just find some way to, say, outsmart the random number generator. (And I think that would be fine: casinos encourage people to think they have founds ways to beat the system, because they keep on trying them, putting more money in the casinos' pockets. If someone manages to somehow actually beat the system, good for him.) He found a bug in the payout calculator.
If you figure out a way to press buttons on an ATM that makes your withdrawal credited as a deposit, it's neither legal or right to repeatedly exploit that. There is no "gee, I really thought it meant to do that."