If your software is only intended to demonstrate the existence of a security flaw but contains no payload, then it is less obviously criminal. Still technically so, I suppose, but not so obviously that you couldn't make some kind of argument.
The collection of traffic and 'content' data is not beneficial though, so I suppose the treaty has to go for that reason.
I do not see anything criminal at all in writing some malware or exploits. _Applying_ them to a system, where they might cause damage however, that is a completely different matter.
You don't go after the blacksmith or manufacturer of kitchen knifes or guns either. You go after the one using them for the wrong purpose.