The WSJ detailed exactly how the hack happened back in October. The short explanation is that iOS had a feature that let apps automatically dial a designated telephone number when tapping on a link -- now, iOS 10.3 requires users to confirm they want to dial the number before a call is initiated. In the case of this attack, Desai allegedly wrote a code and posted it on Twitter; 911 was dialed when users tapped the link.
But once the call was started and the user hung up the phone, the phone would automatically dial it back again -- the only way to break the chain was to shut the phone off entirely. Android phones weren't affected by this issue. If you tapped the link while using Android or on the web, you'd instead get directed to a site that simply said "LOLOLOLOLOLOLOL."
Apple may have closed off the issue that caused this specific attack, but 911 systems remain surprisingly vulnerable to brute force overloads. As noted by the WSJ, there are 6,500 911 call centers in the US, but only 420 of them are part of a cybersecurity defense program. The Department of Homeland Security has been working on ways to prevent and defend against these types of brute force attacks, but they haven't come up with a solution just yet. As for Desai, he claims that he released the code by accident, but that doesn't change the very real harm his prank caused.