There really isn't enough information given in the article to say conclusively what I think of this issue. But generally speaking, security through obscurity isn't really security; a lot of organizations don't seem to grasp this. Dawson College sounds like it might be one of them.
A lot of people are saying that what he did is basically mess with someone's locks to see if he could get in. I don't think that analogy an apt one. For one, his own student info is also behind the lock, so it's not like he has no stake in whether or not it's secure.
"he was expelled after he repeatedly tried to gain access to areas of the college information system where he had no authorization." He had been told repeatedly to stop, but he was so hung up on enlarging his metaphorical penis that he didn't listen He broke the law, got warned, did it again, got removed. its all very logical. He had it coming.
I used to play Risk online, and there was this prick there who always used to post thousands of weird ascii characters in the chat window, which would cause the game to crash for anyone whose PC didn't have the memory to deal with it. When challenged by the mods he said he was doing it to expose a flaw in their programming. They fixed the flaw and banned him.
The school probably should have responded to the problem he found, but at the same time, he should have stopped meddling when he was instructed to do so. Not listening to the school in this case I would say is indeed improper conduct.
A bit too much "he said, he said" to nail down who was actually in the wrong, but I will say that there are a lot of places out there (the Federal Government being top of the list) who will move heaven and earth to hide a problem rather than lift a finger to fix it.