That's already the case. Lawyers can be disbarred for filing frivolous lawsuits.
The general form of such a "legal threat" (threat relating to the law) is perfectly reasonable, normal, and legal (as in, conforming to the law). It's a standard part of practicing law.
However, in this specific case, they do appear to have broken one professional rule, regarding the threat of criminal prosecution conditional on a civil demand.
Aside from that one professional rule, the Fizz/Buzz letter was probably perfectly technically accurate. Whether the DA would take up the case, I doubt, but that's up to their discretion/advice from the DoJ, not based on the legal code.
I think Fizz/Buzz were incredibly foolish to send such a letter, as the researchers were essentially good samaritans being punished for their good deed (probably only because customers don't like it when supposedly professional organizations are found to be in need of such basic good deeds from good samaritans, and Fizz/Buzz would rather punish the good samaritans instead of "suffering" the "embarrassment" of public knowledge).
Completely baseless stuff can get lawyers disbarred, but many things are shades of gray. The way the CFAA is written, just about any security research on someone else's machine that doesn't include "we got permission in advance" often falls into this gray area.
The fact that the DOJ doesn't prosecute good-faith security research is DOJ policy, not actual law. The law as-written doesn't have a good-faith exemption.
