Should I warn a professor about his bad internet security practice?

If this was a one-time thing and you don't know this person very well, I would avoid bringing it up.

Once you know this person fairly well or communicate with them on a semi-regular basis, then sure, in your next email to the person just put as a note at the end of the email that they might be cautious about including the entire webpage.

The concern is that it might be off-putting to someone if they don't know you well and perhaps this professor actually verified that no personal info was included.

I think it is first necessary to evaluate the actual risks involved in such practice. Forwarding an entire email web-page is indeed a bad habit in terms of security, but it does not necessarily point to specific vulnerabilities (like remote code execution, injection-based attacks...) with a clear risk assessment.

My point from the above is, given the circumstances, it's hard to articulate the exact risks caused by this incident. If this is an isolated incident, especially if you don't have a relatively close relationship with this professor, I would strongly discourage you from bringing it up. Keep in mind that it's hard to express the right degree of sympathy through an e-mail, and therefore, you might come across as picky, arrogant or even rude. (This is especially true if you're emailing someone who isn't familiar with you personally)

EDIT: I also agree with @Austin Henley's answer, especially the last part: "he might have actually verified that no personal info was included"

You shouldn't do this, because there's no point in doing so. If this person isn't tech savvy enough to be able to properly forward an email, they're certainly not going to be able to understand a subtle security risk like this one. As long as he's not doing something egregious (like sending you his password in plain-text), don't worry about it and just be glad that he didn't print out the email and snail-mail it to you.