tl;dr: Make your professional opinion known politely to the client in writing, with your advice, them let the client decide, and have records of this decision.
While I agree with you that security should be paramount, in reality, it is often trumped by adhoc business needs and costs. The owner/C-level want this or that to be able to happen, even tho you know it's bad security. You explain it, recommend alternative, then go with what they decide, no matter how asinine, provided you like receiving money. Document the decision so that when the inevitable happens, you've covered your posterior.
From the outset, it doesn't seem like the client is taking things too seriously when it comes to data, they are using sql express after all. The client typically doesn't want to be bothered with our techno babble of how they are doing it wrong, they want it to just work and on budget. They purchase service contracts and warranties so that when something does go wrong, they pick up the phone to get it fixed or point fingers of blame towards when legal gets involved. It's all about passing responsibility. That's why you document and get signed off that the client is aware of these shortfalls and that you work doesn't cover any breach due to the shortfalls. The client sure as hell doesn't need or want a pissing match between you and another vendor, even if you are correct.
Don't piss off the client. Call it a day, cash your check, have some beer.