Whitelisting specific IPs for NLB and the effect on LCU cost?

Using NACLs and/or SGs is not an either/or proposition. You could use both.

NACLs require more careful configuration to make sure you are allowing the ephemeral range outbound (so traffic can get back to the source), Also make sure to allow for the ephemeral range coming INTO the NLB from the targets. One way this can be done by just blanket allowing the targets (ex: 10.0.0.0/24, all traffic) in the NACL. The payoff for this higher amount of configuration is that you can DENY as well as ALLOW and that entire subnets are protected (guarding against Jr Admin launching an instance and not applying the special Security Group to it). Be aware that the NACL for the NLB subnet and the NACL for the target's subnet both come into play here.

Since Security Groups are stateful they take care of the ephemeral ports for you. However with an SG you cannot DENY, only ALLOW. In your case that sounds like it would work fine since your guy wants to only allow certain IPs. Not as powerful as NACLs in my mind, but it is simpler, particularly if they don't have people launching instances manually (and thus risking missing applying the special SG).

One option is that he could control the flow mostly using Security Groups and use the Network ACL for blocking certain traffic. Example - if he wanted to allow x.x.x.x/24 but x.x.x.30/32 was abusive he could allow the /24 in the SG and put a specific /32 DENY rule in the NACL (ahead of a general ALLOW rule).

Both NACLs and SGs have limits: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html that you need to be aware of.

As for LCUs - since blocked traffic never reaches the NLB, there would be no connection and thus nothing to meter for an LCU.