As a service provider, I am not sure how to handle this because, technically, it's "their server".
On the other hand 'their' server has to share a network with other servers. If they refuse to use best current security practices, their server will start interfering with other servers.
So the answer is: don't sell them unsecured VMs. If they can't take the above argument and insist, at least charge them more based on the fact that you will have to clean up the mess eventually. And if you have many such customers, invest in some monitoring solution that can detect hacked boxen.