"Got to be some kind of idiot to put PII on cloud."
Got to be some kind of idiot to put PII anywhere that you are not confident it is appropriately secured, monitored and audited.
Cloud is not itself the problem, all the tools are there to place multiple blockers between unauthorised persons and the data. We see plenty of reports of data breaches on private data centres owned and operated by the data owner.
The difference is:
a) the business taking their responsibility seriously
b) engaging the right people to implement established good practises to secure the data.
I don't particularly advocate using cloud, I generally believe it should be easier to secure the data in a building you own and control, but don't claim cloud is insecure just because your CEO let's the Marketing team do whatever they want with the company data.