While there's a lot of emotional appeal to seeking justice in this case, my inner pragmatists says that this should really be looked at as free penetration testing for PhPFog. If this kind of hacking had stiff penalties (as you desire), only those with truly malicious intent (and probably financial motive) would do it. Likewise, the consequences wouldn't be some petty vandalism, but serious financial damage.

The fact remains that the site was insecure enough for a 16-year-old to find his way in. And the contributing factors to this insecurity might not have been identified had he not performed the attack in the first place.