How do you handle a situation where a client insists on implementing a feature that introduces a significant security vulnerability?