Well you did say
'A crime is a crime, and should never be tolerated. Period.'
So you did rather bring that one in. That was the crown of your conclusion.
Ok so you are saying that vandalism is wrong, which yes it is, but what was vandalised?
First off this is the digital realm, so was there a backup? Was anything actually changed on the servers? I thought this was a DDoS, not a compromise.
So I won't mince words, but I will try and get the right words to describe what happened, which was more akin to a demonstration.
If the DDoS used compromised machines, then I think you should be going on about that, because that would have been more of a crime. A DDoS is a pain, and if they didn't talk about DDoS with their ISPs prior to getting the server then they did not do due diligence.
The way to stop a DDoS is for your ISP to start droping packets on the border routers, and keep track of the IP numbers used then getting in contact with the other ISPs involved. To get them to start a trace and drop packets at their routers.
Once the little shit is found, then you inform police who should then make a physical appearance, and give him a good slap on his wrists. 2 years probably happened because the problem wasn't nipped in the bud, for that I would have thought probation, If he had botnet, then yeah ok two years is appropriate, with one year to serve.
A DDoS cannot be kept up indefinitely once the ISPs get involved, sure people don't realise they should go there first, but some site calling itself castlecops probably should have.