I don't know if it can always be avoided, but I think it makes sense for a court to try to avoid the code-based approach.

It seems to be all downside (exploiting bugs will typically be OK because the code said this was OK, even if the people who wrote it never intended that) with no upside (the things rendered illegal already don't work, because code forbade them).

Courts ought to be familiar with the fact that they're present mostly to make decisions about fuzzy things like "Did the accused intend to cause harm to the victim?" and not simple mechanics like "Does being injected with cyanide kill people?".

I agree, I don't think it can always be code-only. If you socially engineer someone into giving you an account, I really think that should be fraud.

I've thought about this for some years now and looked at various different cases tried under the CFAA or otherwise claimed to be unauthorized access.

I personally believe it should turn on whether or not you used deception as the means to gain access. That is, but for your deception, would you have gained access?

This, in my mind, proves they were up to no good (mens rea) and acts to make it clearer whether or not you were authorized. It also connects to the idea that the law is mean to counteract a type of fraud in general. I mean, how can anyone say they had authorized access if they had to lie to gain access?