First of all, if you present information to somebody who uses it to exploit a vulnerability and do something illegal you are very likely to get sued or even go to jail.  This is not a very smart method to convince somebody or do business.  Tread carefully.

Next, they do not understand the implications because you are not providing them with enough information in a manner that they understand.  People have a hard time understanding risk and how vulnerabilities can lead to exploitation and what the impact of that exploitation could be.  Here are some tips:

• Point them to the services that you think are vulnerable.  Do not hack these unless you have written permission.
• Explain to them the information that could be obtained from their current configuration.
• Show them what the impact due to this exposure could be.  Be sure to include monetary cost, man hours to mitigate, expected down time, legal considerations.
• Point out if they are violating any regulations like SOX or PCI and what the personal freedom implications and business impact that goes along with violating these regulations.
• Finally, give them solutions to fix the problem.  Include how much it will cost and try to keep the cost as low as possible and definitely lower than the cost of an incident.

Hope that helps.  Don't worry about it too much.  The manager responsible for business has to do a risk assessment.  If he choses to accept the risk then it is out of your hands.  Your job, I believe, is to point out the problems and make recommendations.  (I am assuming that because you have not been able to just put the change in place.)

Go forth and do good things,
Cutaway