- Malware is distributed to clients from the companies website
- Website is defaced, the content deleted or website otherwise make unavailable for extended period
- The website experiences a DOS attack, potentially affecting access to the website, Internet and email access for the company and/or affecting the performance of their file server (because its installed on the same physical machine)
- Data stored on the company file server is stolen and provided to a competitor, leaked or deleted
If any of those will cause a significant impact to the business, the he should host the website at a hosting provider. Judging by the description you've given, these systems are just waiting to get owned, so minimise risk by outsourcing high risk activities like Internet facing websites.
The only time that a website should be hosted under the conditions you have described is when the website doesn't matter and nothing on the server or the machines it can directly access is important.