This isn't as bad a practice as you would think. I'm gonna tackle this in a real world sense and leave out some of the more technical things.

First, when I measure security I usually try to go "Better or Worse" like when your at the eye doctor. Trying to be totally secure is a joke, while at the same time you shouldn't ignore security.

So his method beats - sticky notes, a common (shared) password, a file on his hard drive, a sheet of paper with all the passwords written on it, an unencrypted file on a service like dropbox (that creates real files).

His method is less secure then a cloud based password manager, a local file based password manager. (That's as far as I am going to go with the more secure because that's as far as a normal PC user is likely to go.)

So he's not doing to bad. He is more secure then probably 90% of the users on the internet. More importantly, he is aware of the need to be secure and has taken some steps.

As for "vectors of attack" there are really only a few realistic ones. Someone with physical access to his machines (a Game over any way), some one hacking his google account. Yes there are others, but even the best password managers have to encrypt things in a way that they can be decrypted. So some one going postal at Google and accessing "his" spreadsheet and stealing his ID, is about the same as someone going postal at LastPass and reversing hashing on some of the files and using that.

However if someone were to hack his Google account, it's all over, but again that can be true for any cloud based or hosted password manager.

The last vector is the most important. Because he is using a service that is not meant to store sensitive data, there is no way for a browser or computer to tell that the data is sensitive. So, as others have stated, the document, or parts of it may be cached on phones or computers in plan text. Truly I think this is the largest risk he faces.

So, is he secure enough to hold nuke launch codes, probably not, is he secure enough to hold his data, he is already above average. If he were my fried I would advise him to look at LastPass or Keepass as an alternative. Lastpass in particular should be a very easy switch for him.

P.S.

I am not trying to advocate this as a way of storing information, I am simply stating that, his method is better then some, and worse then some, and it's up to the user to decide how much security they need. I would be more then ecstatic if I could get my grandmother to use this method.