People who have never had their systems attacked have a hard time believing that anyone would do it. You have to see it happen once to understand how bad it can be.

I would suggest you list for them a bunch of things that any decent hacker could do to them, like replace all the database content with dirty words, steal customer data, crash your systems, make your systems unavailable, send fraudulent communications to your customers that appear to be from your company, use your systems to attack some government web server, etc.