I don't think I go as far as others here. I am not sure an open door is an invitation to dig through someone's diary; that is, even if someone is incompetent in managing their security, there should probably still be a point at which abusing that crosses a line - though I am very open to discussing just where that point is (and some liability should certainly still sit with those who deployed an insecure system).
All of that said, I wholeheartedly agree that damage to reputation (where such damage comes only from revelation of the insecurity) is the fault of the people failing to live up to their reputation, not those exposing the reality of it.
It would be a violation of privacy to sit down and read it through. Whether this should be legally actionable (as opposed to just socially) is another question, of course, but nevertheless.
All of that said, I wholeheartedly agree that damage to reputation (where such damage comes only from revelation of the insecurity) is the fault of the people failing to live up to their reputation, not those exposing the reality of it.