Unreal crime
as a citizen of a sovereign nation, he should absolutely stay right where he is, in the UK. if he accessed a server in Saudi Arabia by using a default password that someone didn't bother to change, would it be reasonable to extradite him to SA, considering their human rights record?
speaking of human rights, US practices haven't exactly been warm and fuzzy lately. they're not as bad as SA, but they're not good, either (Gitmo and secret prisons abroad, anyone?).
as for the crime itself, it can be argued that:
[1] if the server has a default password, that server is not secured. it is open to the public, especially if it is accessible through the firewall, because there is no circumvention or hacking required to access it. this puts the responsibility on the server admin, where it belongs, and doesn't turn some poor curious schmuck (yes, Gary, i'm looking at you) into a criminal.
[2] US organizations, and especially the government, have a habit of wildly exaggerating the damage caused by hacking, so as to pressure someone into a plea bargain. this saves the trouble and risk of going to court, where a judge or jury may decide that the plaintiff is making absurd, unsubstantiated claims, and dismiss the case.
access does not usually constitute damage, unless the accessed information was confidential and the organization was materially harmed by the dissemination of this information. if Gary altered things while he was in those systems, he may be out of luck on this defense; however, $700K of damage is a substantial number, and they should provide some proof to support that figure.
if incompetent US government employees or contractors are trying to cover their backsides with Gary's conviction, i think the names of these persons or companies should be given wide publicity, to discourage future stupidity.
default passwords went out of fashion in the early 90's. a default password on a US government server (and especially military servers) is like a man wearing bell bottoms and a daishiki at a black-tie event. the admins responsible should be held accountable for this breach. throwing the book at a script kiddie (Gary is one by his own admission) will accomplish nothing.