The issue is not whether or not he should suffer a penalty. The issues are fairness and appropriation of blame.
First Gary allegedly caused $700,000 worth of damage. Whether or not those numbers are completely made up, his punishment should be appropriate to that damage. Let's look at the damage done to the economy by bankers. $7,000,000,000,000 if I remember correctly. So Gary's MAXIMUM punishment should be one ten-thousandth of the punishment meted out to the bankers.
If those numbers aren't completely made up then let's see a breakdown. How much of that bill was for the sysadmin to secure the system? That should obviously be deducted, as the sysadmin should have done that anyway. What exactly was damaged? Was some backed up data damaged? How does it cost over half a million dollars to recover stuff from backup? Was some non-backed up data damaged? Why would it be Gary's fault that data was not backed up? Why would it be Gary's fault that the data was not at least read-only for non-authenticated users? Did he cause some hardware damage? How would that be possible?
Secondly Gary wandered in to an unprotected system. The password was either non-existent or dead simple to guess. The sysadmin should be held responsible for not securing a system containing supposedly top secret info and that could suffer damage worth $700,000. But where is the news on the sysadmins of that system being punished? And why was that computer attached to the internet in the first place? There are two parties responsible for a hacker entering an unprotected system, just as any homeowner who left a door wide open and complained about getting burgled would expect the insurance company to be less than sympathetic. Plus this happened AFTER 11/9, remember, when the US was allegedly on high alert. So was this a honeypot system?
Thirdly the US wants to "make an example" of him, and punish him yet more for "not co-operating". Gary's perfectly valid fear is that if extradited to the US and put on trial there, he will be subjected to a mock trial and thrown away basically for life, and stuck in a jail thousands of miles from his loved ones. That is an inhuman result that the US have not ruled out. We know the US already has a number of inhuman and possibly illegal measures: the death penalty, and Guantanamo Bay. Gary might not get either of those, but he will be subjected to the whims of an unnecessarily harsh regime.
And as has already been mentioned the extradition treaty with the US is very one sided. They just have to ask. We have to prove our case in one of their courts of law. So the treaty must be renegotiated. And in general we have to stop being the US's lapdog; we are a sovereign state in our own right and until not long ago far more powerful than the US, things have changed, but as a British Citizen I hate the way our government gets ordered around by the US and just takes it all.
Nobody says Gary should not face trial. Let the US prosecutors come to a British court and make their case, including explaining why Gary gets all the flak and the sysadmin gets none, and have a UK judge decide Gary's fate based on the sysadmin's failure. The internet changes stuff but it doesn't change everything: this is a British citizen committing an offence while on British soil. If you want a comparison, what if you were to make a mucky phone call to a Yank? Would you be prosecuted for that here or in the US? Here, of course.