Problems I see here...
ICCIDs as sequential numbers - Untrue. 89nnnnnnnnnnnnnnnnn1 may be a valid ICCID; if it is, 89nnnnnnnnnnnnnnnnn2 will not be (where n are digits). There may be a pattern utilised, but n+1 is not a reliable method for a given known ICCID.
He immediately alerted the media - Not the company? Sure, the public might have need or right to know, and though his intentions were more or less good, giving up details of an exploit without giving the (in this case) company a good-faith chance to fix what went wrong--thus giving the black-hat types a window to do what they will, with probably more nefarious intent--is in NO way responsible behaviour.
There was no evidence that the addresses were disseminated - gives guy some leeway on the ID theft and probably fraud charges. Conspiracy to commit unauthorized access charge, though? Pretty much indefensible, and probably a non-issue if he'd made a good-faith effort to bring this directly to AT&T's attention and/or if it hadn't been used to the extent of 100k+ addresses.
That said, AT&T isn't in the clear here. Further efforts could have been made on their part to secure this information, though an email address doesn't mean or lead to much except for those a) in the spam business or b) with more nefarious purposes and the appropriate tools at hand, ready to use. Is a stiff sentence fair here? I don't believe so, but nor is acquittal.