With a physical lock, you'd have to pick the lock each time you wanted access, and avoid being seen. The bar for repetitive attacks on the web is much lower, because you only need to write the "lock picking" script once, and then you can use it indefinitely, disseminate it, etc.
A poorly protected website is more akin a house with no lock on it at all, and reporting that "this house has no lock" is not a criminal act.
What about this: seeing the house has no lock, opening the door, going inside, counting the money in the owners wallet, putting it back, then reporting that "Anyone could steal $300 from that guy".
If I were that guy I would be very happy that someone informed me about the vulnerability of my wallet. I would definitely thank them and invite them for tea. Reporting them to police would be the last thing on my mind.
A poorly protected website is more akin a house with no lock on it at all, and reporting that "this house has no lock" is not a criminal act.