Any open port can be an attach vector, port 80 is an obvious one so it will certainly get attacked. But here are many ways to reduce the risk, they should know that and at least help suggest some solutions.
You can use a different port on IIS, or you can set up the web server on a separate matchine in a DMZ, it does not have to be ont he FMS machine. If they are worried about attacks they should have a good firewall with active monitoring and reporting and so on. All these things increase the complexity (and cost) of the deployment but that is there choice to make. If they are worried about security they'll have to spend money on security.