Rather than a defence...
Several issues seem not to have been granted sufficient attention.
Firstly, a distinction must be made between investigation of an exploitable vulnerability and the acts of exploiting or publicising one.
Secondly, authorisation for investigation is not always obtainable - e.g. where a system owner fails to respond to an alert.
I consider that a public interest defence is not a sufficient protection for legitimate researchers, because it exposes legitimate investigators to the hazard of a decision going against them after the fact.
I suggest (and proposed the last time this came round) that there should be an exemption for registered infosec professionals under very strict conditions - vis:
[1] only for investigation and discovery of vulnerabilities (not publication, live demonstration or exploitation)
[2] where authorisation has been sought but can not be obtained
[3] for communication to the system owners only (not for publication)
[4] only for those investigators currently registered with a relevant professional association
[5] only after informing a relevant authority of the intended investigation prior to proceeding
For all other circumstances a public interest defence (e.g. investigation for publication) would be sufficient, but there are many cases on records where a system owner or vendor has proved uncooperative, making investigation in the public interest hazardous for the researcher. This alternative aims to eliminate the hazard under stringent control (also in the public interest).