Why not? If the competitor decides not to take his advice, and he then reports him for violating PCI, he can say, "Hey look, i reached out via email to him and tried to help, he blew me off/didn't fix anything, so I then took steps to protect his customers, since he wasn't."

It's about retaliation and legal issues. The guy could easily retaliate with a smear campaign or even take legal action saying he was "hacking" or doing "espionage".

Whistleblowing often has negative consequences for the whistleblower.