For email, it's actually really simple. What he sees in email headers (From, Subject, etc.) is the equivalent of the return address written in the top left corner of an envelope. There's absolutely nothing keeping you from putting false information there, and if he doesn't believe you ask him when's the last time he had to present identification to send a letter. What you're showing him instead is kind of like inspecting the cancellation mark on the stamp to determine that while the return address may say the White House, the letter was actually mailed from Portland, Oregon.
To give him an impression of the need to update, there are a few things to point out, and hopefully at least one will get through.
* First, among the most dangerous sites on the web these days are church websites - they're created as a volunteer effort by someone who may not even still be with the church (or who graduated HS and moved on in life). They're unmaintained. If they're infected, it may be a long time before someone even notices. In contrast, the "skeevy" sites like porn have a financial incentive to make sure their sites are safe.
* Second, once upon a time malware was written by spotty-faced geeks competing with each other for reputation. Those days are gone and have been gone for 20 years. These days malware is written by professional virus authors who do it for a living.
* Finally, show him the picture from http://www.deependresearch.org/2012/11/common-exploit-kits-2012-poster.html which shows a bunch of *commercially available* malware kits used to create new viruses and some of the security holes they target.