Tell your client to read up on cybersecurity, because his premise is nonsense. Security through obscurity has been discredited since 1851 (yes, that’s one and a half century ago). The opposite is also untrue. Open source software is not more secure than proprietary software.
The crucial thing in code security is not whether it’s open or not, but whether it’s well maintained. WordPress has an active community that is constantly alert on security matters. Follow the guidelines. Ask yourself how alert the authors of a rival cms are.
That said, security is a constant threat. There are no proofs or guarantees.