First, I will emphasize that Reg E is a consumer protection regulation and that more often than not, the consumer wins in unauthorized electronic funds transfer claim. In the case of Reg E, if a consumer writes a PIN on their debit card and loses it, the bank cannot impose a greater liability on the consumer than is allowed under Reg E.
I would say that while negligent your customer has done the equivalent with their phone. The PIN was in plain sight or saved somehow and the passcode to enter the phone in the first place was removed I assume because it was traded in or sold. But I would also opine that the date the phone was delivered for this transaction the customer now had knowledge of the loss of their device. They may not have completely realized their information was exposed, but they certainly knew it was there and was now open for viewing. It's quite irresponsible, but that isn't a Reg E factor. It could be with some other branded cards, but here it was used in the bank app. Still, I would maintain sans evidence from the consumer that they potentially have a greater liability based on when it was reported and when they advised the bank of the loss.
Using an acid test, your customer neither did the transaction, authorize it or benefited from it so it can easily be a valid claim. Some may believe that leaving the phone unlocked was an authorized use for anyone finding it. I go back to the initial Reg E example of having a PIN on a card so I disagree with that in this context. In that light, I recommend verifying that the bank can enforce this "(the bank) will not be liable" clause. Reg E has not kept up with technology, but I see the similarity in your problem and the existing rule. Because of that, I would not automatically deny the claim.
If the customer did this phone sale transaction with a friend and could identify who completed the transaction, I would look hard this may have been an authorized use in some way just to protect the bank. If there was any fraud or collusion, the customer would have benefited from it in some way.