Given all this sage advice cannot be actioned,
Anything CAN be done. It is all about will.
If the client is European then they fall under GDPR. If you knowingly assist them in running a system that is known to be insecure then you can be liable. Giving him a 'solution' which is insecure is not best advice.
I personally would have it in black and white that I had advised the client of their responsibilities and liabilities and suggest they change provider soonest. And if they weren't going to change, I'd probably leave them to it.
It really IS that serious.
Regrettably burying your head in the sand doesn't wash in front of a judge.
I'm not trying to be unkind. Just trying to give the correct answer (even it if isn't what they want to hear), and prevent the OP, and his client, from getting sued.
Telling him anything else effectively makes me complicit too.