So based on the same logic if somebody finds a vulnerability in your online bank account platform he can legally and morally empty your bank account?

The DAO investors have agreed to the code, but they haven't agreed to the vulnerability and the unforeseen thefts that could occur.

The same way if an armed robber would enter in their office, they would obviously file charges against him, and not say " well we agreed to the code, which implies that armed robbers can rob us anytime".