I agree, with the exception of our military who may do such things against foreign adversaries, at the time of war or in response to hack attempts made against us.
But doing internal security research and then saying 'hey I found out there is this big error in IE7' should never be illegal. I would not go about it quite that way (I would always give the vendor a heads up but if the problem is not addressed I would feel obligated to let the public know)
Finding the holes shouldn't be illegal, but reporting them publicly without first notifying the vendor, or even worse releasing exploit code prior to the vendor having time to develop a patch, should be.
I would say this should not be done, but not that it should be illegal to do otherwise. Setting this up sets a precedent where a company can produce an unsafe product and when the defect is found the public is not made aware of the problem *or* how to protect themselves from harm.
Imagine if I found a serious defect in a baby car seat model and could not make it public without the OK of the manufacturer? sure my butt would be covered but that would be little comfort to someone who lost a baby in the time it took me to report it to the company and the company decided whether is was worth it to recall or take the risk of being sued.
Why should a computer system be any different? Computers run hospitals, banks, and medical research facilities. Were not just talking about the risk of losing money when a computer defect causes a problem we could be talking about lives!