Let's take the case of a restaurant. It has a public access space (the front tables) and a private space (the kitchen area). If someone forgets to lock the kitchen door, you still have no right to "access" the kitchen. You further have no right to take stuff, publish the secret recipes you found in the filing cabinets, or to vandalize the place.
A website is public, and you can expect the public to use the publicly accessible parts of it. However, if you find a security hole, you have no right to access that.
I think the problem is that this is Apple, AT&T, and the proprietary iPhone and not the super cool Android phone. But, AT&T also sells Android phones. And, so does Verizon which also had similar issues. What if someone accessed via AT&T and Verizon information about YOUR phone. YOUR phone number. YOUR billing address, YOUR bank account. Is that still okay?
If I leave my keys in the car. If I leave my front door open, the police might "laugh at me", but a crime has still taken place.
As for the "implied" license: Are you saying that if you can figure out some sort of hack via a security hole, you have permission to enter? This was not a link that said "Click here to view iPad account holder information". This was a script written probing for a security hole. It as if someone port scanned your PC.
Internet security is extremely difficult. You have millions of people you want to let in, but at the same time, you have information you don't want public. Even Google gets hacked. Hackers aren't just kids. They're sometimes backed by crime syndicates and foreign governments. Don't be so sure of yourself. How much do you know of your own computer? Are all those protocols your computer uses to communicate absolutely secure? Could there be some bug in one of the hundreds of third party libraries that you don't know about?
Don't be so gun ho on Linux/GNU either. It is far from secure unless you keep your machine off, unplugged, locked in a closet, and off any network. Almost every day, my Linux desktop machine reports about a half dozen security issues and bugs. And, since it is a desktop machine, I can update it, reboot it, and hopes everything keeps working. I can't do this with my database server or my web server. It needs to be up almost 24 hours each day, and I have to certify that bug fixes won't break anything. Takes about a week to go through the process, so it's about 3 months behind in updates. Maybe longer.
Hacking is a crime whether you like it or not. It doesn't matter if something was easily hackable or hard to hack. It doesn't matter if the security hole was well known or zero day.
Your argument that since this was a webserver, thus not a hack is laughably immature. You really think writing a PHP script to poking around at various non accessible directories, and taking random guesses is public access?
There maybe some liability AT&T has in this case if they were negligent in securing the information. That would be for the court to answer. This would be like a bank that has a master key to their safety deposit boxes kept on a nail by the front door in the lobby. However, that guy who took the key, and rummaged through the safety deposit boxes would still have committed a crime.