Look at the chain of custody. At the point of origin, you have a client; the client has a computer with a secret document, a ZIP program on it, and a secret password. At the point of receipt, you will accept the ZIP file, decrypt it with the secret password, and process it.
We can assume that you and your clients are equally susceptible to attack at the end-points regardless of whether the file is carried on a disc or uploaded to the cloud. If the attacker has a keylogger or other malware on the client's machine, it hardly matters how well the data is secured.
Modern Windows ZIP utilities (WinZIP, 7-Zip) use AES-128 or AES-256 with a password derived key; this is very strong encryption. (They also offer backward compatible "ZIP 2.0 encryption", which is not secure.) The security of the encrypted data will depend entirely on the security of the password chosen. With sufficient notice to your clients, you can choose to not accept files that aren't properly encrypted.
IFF your clients use a secure password, and IFF they properly manage the password, there is no relevant security difference between the postal service and a cloud provider. In neither case is a man-in-the-middle attacker going to be able to recover the data without the ZIP password. But that's a very big IFF. You are not in control of your clients, so you cannot specify exactly what kind of security practices they will follow.
A postal service CD is more difficult for a remote attacker to intercept than a file on a server. An attack on physical media requires physical presence, something a remote hacker generally will not have. But if they do have physical access, there are many points where the disk could easily be intercepted and copied. Then, the only security you have is with the ZIP file encryption. The attacker will need both physical access to the CD and a copy of the secret password.
Cloud storage requires its own set of access mechanisms, such as passwords or certificates; which are something additional that both you and your clients need to securely manage. You may still require the ZIP file to be encrypted using a secure password (this is actually a rather common requirement.) But you each now have several sets of credentials to maintain, and this is where humans really fall down on the job. Ask them to do too much and they get confused; they may send the file unencrypted because the cloud server has a password, or they may accidentally share the upload password instead of the ZIP password. Remember, you may be tech savvy, but not all of your clients are: your clients may have completely non-technical administrative people trying to upload the data, people who will make mistakes.
If your cloud client makes two mistakes, revealing both the secret password and the cloud credentials, the attacker can win. This can be mitigated even further by use of two-factor authentication; it exacerbates the complications further, but it will help stop any cloud server mistake from spreading.
If your postal client makes one mistake, AND the attacker has physical access, the attacker can win. In this case, the client has to reveal the secret password to an unauthorized person; but social engineers are really quite good at getting this info. I wouldn't underestimate that threat.
Finally, like it or not, success will depend on how everyone feels about the cloud. If your chief security officer says "I don't trust the cloud", then all you can do by pushing harder for a cloud-based solution is to get yourself in trouble. If your marketing people tell you "my clients don't want all that security stuff", do not force your opinions on them. Telling them scare stories about CD thefts will just serve to spook them in general. When you spook your clients you risk them running away, and with no clients you have no money and no job.
You may be much better off keeping the solution in your pocket, or silently getting an implementation ready. That way when your clients say "we need faster turnaround time than this CD-in-the-mail thing", you're ready with a faster solution. But there does not appear to be a compelling need for you to change how your clients do business today, so don't force it.