The problem isn't that there are known security vulnerabilities.
The problem is that there is not really an effort to address less common but critical vulnerabilities.
For example, many web servers will display error messages. Until quite recently, Apache Httpd would include some of the request data in the error pages, which allowed cross-site scripting in default configurations of mod_proxy (CVE-2019-10092), with no way for the application developers to mitigate this threat against the site users.
The major web servers, such as Apache Httpd, Nginx, IIS, and Lighttpd each have hundreds of active contributors (or in IIS's case, a large corporate structure behind it), dozens of core developers who understand security best practices, and a team dedicated specifically to reviewing code for potential vulnerabilities. As you can tell by browsing the CVEs of any of those projects, there are still things that people catch after versions are released.
The developers who write HTTP servers for programming languages are small sub-projects, developing tools to support the main product: The language. There might be a dozen people who have contributed code to that tool, and one or two core developers on that project.
They do not have the resources available to search for vulnerabilities, so while there aren't any known vulnerabilities (or at the very least, it is very bad form here to point out known vulnerabilities that are likely to remain unaddressed), there are most certainly vulnerabilities in it, simply due to the complex nature of HTTP servers.
Some of these vulnerabilities might be extremely critical, such as allowing an attacker to have complete control over your server, including executing arbitrary code with a privileged account. Such a vulnerability might not exist, but without a thorough code review—and with the large, red-boxed warning at the top of Python's documentation page—it is plausible that such a vulnerability might exist.
In your specific case, the CIO signed off on it.
It is the CIO's responsibility to ensure that risk assessments are done. As the sysadmin, it's your job to execute the company's officers' instructions, and your responsibility to ensure that the officers have the information they need to be able to make informed decisions.
Because of the boundary in responsibilities, the pushback that I would do is ask to see the risk assessment. If the risk assessment doesn't include a very high probability (due to automated tools quickly finding the vulnerable server in hours) that the server gets infected with malware and used as a Command and Control repeater node for a bot farm, offer to help them make a realistic risk assessment.