The exchange would have enough of the money supply to control all the delegates. They wouldn't need votes from the people.
If they control delegates proportional to their holdings, that's one thing. But with delegates, they don't even need a majority if the rest of the vote is split.
There is nothing in the protocol to prevent full control by a minority holder. No other blockchain security system has this sort of weakness.
This 51% attack can occur with any cryptocurrency. Lisk, as with all other cryptocurrencies, is fully dependent on their base users.
If the majority (> 50%) of Lisk owners choose to use unregulated Somalian exchanges to trade, it is the end-users fault if the unregulated Somalian exchange decides to control the Lisk network by using end-user funds for voting their own delegates into the active delegation.
Fortunately, exchanges are fairly regulated these days. These exchanges do not use funds for voting or staking.
It doesn't have to be an exchange.
Also, it's not a 51% attack. It is a 100% attack by a minority holder. A minority holder can control 100% of the security mechanism. That can't be said of Bitcoin or any PoS system.