I figured this might be your situation, and it’s not uncommon for businesses to be tied to outdated software for operational reasons. But, after the recent Garmin ransomware debacle, the Marriott data breach, the massive issues surrounding the use of Zoom for teleconferencing, and the rising expense of data breaches, every company should be taking their information security seriously. Attacks are increasing in frequency and in impact. Quite literally, you cannot afford to ignore known vulnerabilities.
The bottom line is, this will cost the company money.
If for some reason you can’t win that argument, then you should at least CYA. Get the instruction in writing, along with a specific acknowledgement of the risk involved. And tell your boss that you’re trying to protect him, too.