Understand what can go wrong and explain it the simplest possible way.
Support your explanation with a realistic attack scenario. Provide a pragmatic example of how the risk can result in an actual attack.
Explain what is the impact to the business if this risk becomes true. At the end of the day it’s about the most important thing.