You and your host are correct that 777 is a security risk. The only reason this is done is to create the config.php, .cache, SprinklerChanges.txt, and .htpasswd.
If you create these files manually (using config-example.php) and give the .cache and .htpasswd appropriate permissions it’ll work fine. Furthermore, you can move these files outside of the web root and just tell the config.php where they are.
If you need further assistance please ask.