I spotted someone with a very easy to guess password at uni a few years back - she was typing slowly, with one finger, and her password was lemon (IIRC - something short and easy to remember anyway). So, I duly waited for her to log off, logged in as her, and sent her an email from herself, explaining why such an easy to guess password was a bad idea and telling her, politely, that she should change her password to something containing letters and numbers, not a dictionary word etc, and also that she should be aware of the rest of the people in the computer room. I let her know that I could have used her accoutn for spamming or downloading porn and she would have got into trouble, not me. Oh, and I told her how to change her password.
I tried logging in to her account again the following day and the password had been changed!
Thus, My suggestion is do something similar - log in to this guys email, and send him something from himself, politely explaining the slight security glitch in his system..., with a few pointers to sites on how to improve matters...
edit: and well done for not spamming from his account or doing anything nasty. It's nice to know there are still nice guys around!