And it sounds to me like he's trying very hard to follow protocol here but can't even get off the starting blocks. I don't see any revelation of vulnerability details on the twitter feed in question, do you? In fact, isn't the joke really that there are people who doesn't even bother to read what they're commenting on?
If I'm not mistaken, an 800 number is a toll free number in the United States. Well, have you ever tried calling one from abroad? That's one of the problems here. This guy is (like me) situated in Sweden, which as some of you may know is OUTSIDE the US borders.
To put it simply: He CAN'T call that number no matter what. It just doesn't work.
Which brings me to the next reason he's probably reluctant to phone, namely that Sweden is six (or seven, depeding on whether summer time is in effect) hours east of New York, meaning that for him to actually find someone to answer the phone in the other end he's going to have to call late in the afternoon or evening, local time.
As to the other options, snail mail or fax... well, I shouldn't have to comment on that, should I?
That said, he could probably have been a bit more creative in trying to find someone not shielded by first line support to talk to, had he tried for example googling for someone on linked in associated with Amex security as someone suggested here.
But the whole point is, why the h*ll should he have to??
He found/heard of/(re)searched/stumbled upon/whatever a serious security problem and as a good netizen he wanted to inform the party involved, and was unable to find someone to talk to, in part because he wasn't a customer.
That's not good security policy no matter how you look at it.