I think you already know . . . the same thing you would tell them if they were asking for credit card info to be emailed.
This does open a good question though, if a client is adamant about an insecure practice and presses a provider to do it the way they want, what is the provider's liability?
So far I've escaped this nut by providing a very convincing argument about the right way to do it.