Professional way to tell a client's IT company that they're cutting up?

Hi folks in Sysadmin! I'm making this post not to poke fun, but out of genuinely being a little bit upset with the services someone is paying for. I'll preface by saying that I work internally for an organization that is client facing - we do not provide IT support for clients beyond helping them access our own portals and services. One of the clients that we do business with is having a colleague connect remotely to their desktop with VPN to work on a local program, and I'm asked to help facilitate with the client's IT company that works for them. Much to my surprise the link they send over to my colleague is access to their desktop management software - it's only for this one client's computer so I proceed. The credentials to access this computer are separate from logging into the computer, and they are then sent over email (red flag #1), which had very simple parameters (red flag #2). I get in, see the computer, and initiate a remote session. I can confirm that the program my colleague needs is able to be opened. What I also notice is that the computer access credentials seem to be for an account created on the computer (from what I gathered it doesn't appear to be a domain environment?) This interests me a little so I wanted to see if I'd be able to run a program as admin, just because of the two red flags. (In retrospect it was not my position to take the initiative to do this, and I recognize that I ethically made a bad call. After all, I just needed to make sure one program opened up for my colleague.) Long story short, not only is this account a local admin, it's the same account this IT company is using to administer the organization's firewall - and the credentials for doing so are stored right there on the computer. I didn't try to log in because I'm not trying to break anything and it's not my place to test whether it's possible or not. System level changes were also possible from this account, but I let it be. This isn't my own client, but from IT person to IT person I really want to tell their point of contact that they need to do a better job at locking things down and it's unacceptable to let an outside organization have full admin access to anything on that network. I know it's possible for them to have something like Deep Freeze in their environment, but I still feel it is important to follow best practices and avoid handing out admin creds. **TLDR:** A client we work with has an IT company that gave admin creds to one of my staff members, in order for them to remotely access a computer. I discovered it was an admin by doing some light poking. If I sent a message right now, it would read something along the lines of: *"Hi Homer,* *I was able to confirm that we can access Diego's computer from our network, thank you for helping. I want to take a moment as a fellow IT admin however to talk about some of the choices that were made in granting that access...* *I mention these findings in hopes that you are re-evaluate how privileged access is achieved for Diego's organization. It's ultimately a decision for you to make and one to discuss with your client but I did not feel comfortable recognizing things and failing to disclose them"* Is this a professional sounding message? My goal here is to genuinely inspire the IT company to change, or at the very least have a record that I find their current practices to be a bit questionable. Thanks for reading!