Why should he hold back from publishing? You doubted three specific claims:
A. The terrorists would have the technological know how to carry out the sabotage
People already have carried out technological sabotage on various infrastructure elements. These are generally not publicized because there is negative value in making this information public -- creating panic without a solution is the desire of the attacker. Some information about these attacks is shared in industry appropriate discussions, but these are not public forums, and participants are invited only on a need-to-know basis. There are real attacks on automation systems today, and there are dedicated, well-funded organizations backing these attackers.
B. The terrorists could locate the actual weaknesses of the infrastructure to carry out their attacks
With the nature of automation, an attacker does not need to know that "Manhattan Pumping Station #12" at 127.0.0.1 has a login page susceptible to buffer overflow of exactly 1028 bytes. All they have to do is try a 1028 byte overflow on every SCADA system they find, and maybe a few dozen or a few thousand are similarly unprotected. Even if Manhattan's pumping station fixes their login problem, that doesn't help protect the water pumping systems in Peoria, Illinois, or Nome, Alaska. It's important to remember that a terrorist doesn't have to "call his shots" in advance in order to achieve his objectives of spreading fear or panic.
C. The terrorists never suspect that what he said is after all, a "honeypot"
A honeypot is completely ineffective at determining the identity of an attacker. Sounding an alarm that an attacker is present simply means the attacker will disconnect, and move on to the next potential target. A honeypot is only useful for studying the moves of an attacker, and of potentially diverting them away from your own valuable systems. It can't catch them.
I'm actually not disagreeing with you that we need sunshine in order to fix the problems. The bigger problem is that we have a huge, non-centralized infrastructure that can't be fixed all at once. If Nome, Alaska's pumping station is vulnerable, Nome, Alaska is solely responsible for fixing it. There is nothing about owning such a system that means the owners are up to date on all security issues or patches needed. We may think they should be, but it's academic: they're not patched, they are vulnerable, and the cost of publishing the vulnerabilities could mean the destruction of critical infrastructure.
Industry, government, and law enforcement groups have been trying to solve this problem for quite a while, but they're simply not there yet.