The security risk is just one thing and lets be honest if you setup stuff properly and are awake you are pretty safe on an exchange.
The big problem is that not owning your keys is giving power to a centralized party.
It is undermining the essence of Bitcoin.
In this same way gold Smiths started storing gold for customers to give them a IOY in return. They realized only some 20% of all gold brought in was actually asked back at any given time. So they started to lend out some of that gold in their vault to gain interest on it. When that was abused to much people got suspicious and demanded their gold back, hence the name bankrun.
There is nothing stopping exchanges to doing exactly this. They will make Bitcoin a derivatives game, giving people fiat based on paper bitcoin possession.
We won't be knowing how much fiat is backed by how much Bitcoin and we are back at where we started.
Bitcoin is designed to provide true ownership, it is made easy and unambiguous.
Only in that way true decentralization can be maintained.
Perhaps you should try to explain this to your friend.
Be prepared for many follow-up questions about a lot of stuff..
But there is a risk she isn't interested since this would mean she has to put in a lot of effort to really understand the systems.
Many are in it for just some gains, we have to try nevertheless.
Success!