if they're that owned, it's highly unlikely that you telling them about some additional vulnerability is going to help their attackers. and you'll figure it out soon enough when none of your proposed fixes are enacted.
True - but if they're _not_ that owned, TLS encrypted email probably would have been sufficient. (Though I'm not sure how easy it it to force/ensure TLS in common email clients…)
TLS only protects a single link; from your client, to your server. It doesn't prevent you from disclosure on that server, on any relaying servers in between, or between their server and their client (remember, they may be reading email on wifi in a coffee shop).
S/MIME email is another end-to-end encryption scheme, like PGP, but it isn't as popular among a technical crowd as PGP is.
