The business might not like the cost of upgrading from an older version of sql, plus costs of possibly new operating system and maybe new hardwar.
Just explain to them that they need to consider data security, how business critical the data is and that the data is their main asset.
GDPR is on its way, thats another reason to seriously consider upgrading to sql 2016.
Some features that will sway the argument your way are:-
Note, the features below are available for all version from SQL 2019 SP1
Always Encrypted
Unlike TDE (transparent data encryption), which only encrypts data at rest, AE encrypts data at rest and in transit. The data and is only made unencrypted at the application layer. Even DBA's with sysadmin rights cannot see the data unless they have the certificate key.
Dynamic Data Masking
Basically, this allows server side masking of sensitive data. You can restrict what an end user sees based on the privileges they have. This could be very good where general users need to see part of a credit card number, but not all of it. Developers and testers using live data will only see not sensitive data.
Row Level Security
Another great feature that allows filtering out or hiding of certain rows based on either the context of the sql query that is being run or the privileges of the user. The end user will never know that certain rows are being hidden from the result set.
Conclusion
The three security features mentioned above can be used together to create a secure and flexible policy regarding sensitive data protection. Consider that GDPR is on its way in 2018 and the fines can be high, spending money now on sql 2016 could very well be worth the investment. Consider the purchase as an insurance policy against data loss and subsequent fines, loss of corporate prestige etc.
