This isn't exploiting a vulnerability. If I knock on your door and you open it and invite me in, you don't get to complain about how I'm trespassing. If your server responds to traffic on a port, then it's completely fair to conclude that you're okay with that.
Then upon them discovering that it's open to the world, their first response shouldn't be to blame the people connecting, but themselves for leaving it open.
Huge numbers of people have done this, I've certainly done it in the past when I knew less.
Discovering that the webserver logfiles were rather larger than I expected, or that HTTP Traffic was through the roof... oh, right, I left something open, better close that and remember it for next time.
Just chiming in from the other sub-thread to say that I actually agree with you on this point. A misconfigured access control policy isn't grounds to assume that you have access.
However I don't think it's a reasonable assumption that the open status of TCP ports is supposed to be private information.
