What to do if stuck with website that has poor security?
Financial institutions in the United States are obliged by the Gramm-Leach-Bliley Act to ensure the security and confidentiality of personal information. What you describe is a flagrant violation of the FTC's Safeguards Rule.
I would immediately file a complaint with the FTC.
If you are concerned about the privacy of your password and thus your account (which should be the case), you should try to educate the customer service. The developer FAQ from the public shaming project for this kind of recklessness lists a few good points and is worth a read.
Also, you should point out that you feel insecure and lose trust in the company and will make them liable for any problems that stem from this no-go.
You should also document that behaviour and try to get a written quote on their point of view if they do not see a reason to fix this. Thus, if any problems arise, it will make the whole thing easier for you from a legal point of view.
Besides that, by submitting the site to plaintext offenders, you will provide a third-party point of view, which might help your case.
Also, I assume you use a secure unique password for that site and hopefully have always done so.
If not, treat this as a regular leak, changing all your passwords (and on that occasion, make sure to use unique passwords for each service)
You could report this to the administrators of the site, but in the likely event that the e-mail is picked up by customer services it's unlikely to be understood.
Hopefully it'll be elevated to a development team who will hopefully understand it.
However you may wish to urge caution as if it's grossly misunderstood you don't want to be accused of hacking.
Alternatively in the UK for example the "data protection act" is legislation to protect against such mishandling. The "information commissioners office" handles complaints. In particular there is statement on the gov.uk site to contact the ICO if:
Make a complaint
If you think your data has been misused or that the organisation holding it hasn’t kept it secure, you should contact them and tell them.
If you’re unhappy with their response or if you need any advice you should contact the Information Commissioner’s Office (ICO).
https://www.gov.uk/data-protection/make-a-complaint
The ICO is a useful resource: https://ico.org.uk/
The UK is particularly good and I suspect other countries have similar legislations in place, however certainly other countries aren't as forthcoming.